How to Reject Anonymous Identity

Scott Armitage S.P.Armitage at lboro.ac.uk
Fri Nov 2 17:54:35 CET 2018



> On 2 Nov 2018, at 16:49, Selahattin Cilek <selahattin_cilek at hotmail.com> wrote:
> 
> 
> 
> On 2.11.2018 19:15, Alan DeKok wrote:
> 
> 
> On Nov 2, 2018, at 12:08 PM, Selahattin Cilek <selahattin_cilek at hotmail.com><mailto:selahattin_cilek at hotmail.com> wrote:
> 
> 
> 
> I use FreeRADIUS 3.0.17 to provide services on a site. Ever since I
> stepped into the world of RADIUS, I have been dealing with the issue of
> "anonymous" users.
> 
> 
> 
>  What do you mean by anonymous users?
> 
> "Anonymous" users those who use another user name in the outer EAP request. The option to use an anonymous (or "outer" or "secret" or "hidden") identity is enabled default on SecureW2 and  Windows 10's Microsoft EAP-TLS implementation and almost all devices can be configured to use it. This is a measure designed to prevent an attacker from getting a user's true user name by sniffing the packets that go between the NAS and the RADIUS server. Of course, when the request enters the the TLS tunnel, the server gets the user's true user name. I think these two lines from the log should make it clear:
> 
> Nov 2 19:44:32  radiusd         65078   Login OK: [anonymous] (from client DAIRE_703 port 0 cli 34-23-87-7B-28-FF)
> Nov 2 19:44:32  radiusd         65078   Login OK: [60643462528] (from client DAIRE_703 port 0 cli 34-23-87-7B-28-FF via TLS tunnel)
> 
> This user is using anonymous identity.
> 
> 
> 
> 
>  The normal operation is to only authenticate *known* users.  Everyone else is unknown, and un-authenticated.
> 
> Yes, of course, obviously. But the problem is that the user can hide his true user name in the outer request.
> 


Thats kind of the point of the outer identity. Changing this will prevent clients from authenticating.

> 
> 
> 
> Currently, this store procedure can check if a user with a given name
> exists in the database, and if not, return *0* to make FreeRADIUS to
> reject access to that user.
> 
> 
> 
>  The default *is* to reject unknown users.  So if your system is allowing unknown users, then it's because of local changes you made to allow that.
> 
> Yes, but a user can choose to supply another false user name in the outer request, can't he?


The outer identity isn’t used to authenticate the user.  The inner identity is.


Regards

Scott Armitage
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20181102/0c8730b3/attachment.sig>


More information about the Freeradius-Users mailing list