Question on anonymous identity
Mathieu Simon (Lists)
matsimon.lists at simweb.ch
Mon Jan 11 08:17:28 CET 2016
Hi Alan
Thanks for your answer, you convinced me that it's not yet the right
time to enforce anonymous identities yet. :-)
I tried to get my hands on some devices I don't own and did a quick
check in the limited time to verify from what I remembered.
Am 07.01.2016 um 15:23 schrieb Alan DeKok:
[...]
> If they don't, they're broken.
So far I haven't yet found a device that didn't have any means of
setting an anonymous identity. (I remembered some crippled Android
devices a couple of years ago) However on some platforms it's somewhere
between difficult and nearly impossible without jumping through several
loopholes.
Apple iOS 9 still doesn't allow users to set all EAP options, only if
configured through a .mobileconfig
Windows Phone (8.1): It's so often-seen one, but it exists. Configuring
an anonymous identity or CA/common names in the UI on a real Windows
Phone I've had my hands on: Not available on the UI, same as with iOS.
In contrast to Apple's way I haven't found a compareable documentation
how a config file woud look like, but only how it can be provisioned via
MS System Center products... (maybe I'm wrong here, so bare with me)
[...]
> If the vendor doesn't *default* to anonymous outer identities, please also tell the list.
In case of iOS (9.2) for example when it isn't explicitely configured
via a .mobileconfig to use an anonymous identity I haven't seen the
device not sending the user name in FreeRADIUS debug mode. If it is
configured by a .mobileconfig I can see the configured anonymous
identity first, then the user name in the inner-tunnel phase.
Maybe iOS behaves differently if a realm is appended to the user name,
this setup I checkd against verified AD samaccountname without a realm.
i.e. eduroam mandates to append a realm from what I found.
-- Mathieu
More information about the Freeradius-Users
mailing list