Apple devices and anonymous identity EAP-TLS
Hi, I apologize in advance I know that this is not a question about freeradius server, but here I think I have a better chance to find the answer. I need to check the realm of incoming radius requests and I have setup with EAP-TLS. Android provide a way to specify the anonymous identity and include into it realm value but Apple devices seem to use CN field from cert as username and as anonymous username. So I just want to check with a community that I am correct in my observation that Apple devices use CN as an anonymous identity. Maybe someone can confirm it. Apple documentation saying next about anonymous identity. --- "Optional. This key is only relevant to TTLS, PEAP, and EAP-FAST. This allows the user to hide his or her identity. The userʼs actual name appears only inside the encrypted tunnel. For example, it could be set to ”anonymous” or ”anon”, or ”anon@mycompany.net”. It can increase security because an attacker canʼt see the authenticating userʼs name in the clear. " --- Best regards Vladimir
On Aug 16, 2022, at 1:36 PM, work vlpl <thework.vlpl@gmail.com> wrote:
I need to check the realm of incoming radius requests and I have setup with EAP-TLS. Android provide a way to specify the anonymous identity and include into it realm value but Apple devices seem to use CN field from cert as username and as anonymous username.
The "outer" user name. For EAP-TLS, there's no "anonymous" username. At least until Apple implements TLS 1.3. Which is so far "no".
So I just want to check with a community that I am correct in my observation that Apple devices use CN as an anonymous identity. Maybe someone can confirm it.
It uses the CN as the *outer* identity.
Apple documentation saying next about anonymous identity.
--- "Optional. This key is only relevant to TTLS, PEAP, and EAP-FAST. This allows the user to hide his or her identity. The userʼs actual name appears only inside the encrypted tunnel. For example, it could be set to ”anonymous” or ”anon”, or ”anon@mycompany.net”. It can increase security because an attacker canʼt see the authenticating userʼs name in the clear. " ---
i.e. for EAP-TLS, there is no *anonymous* identity. RFC 9190 fixes that, and allows for anonymous identity when using EAP-TLS. But so far as I know, Apple doesn't implement it yet. Alan DeKok.
participants (2)
-
Alan DeKok -
work vlpl