[EXT] "Outer and inner identities are the same"

Brian Julin BJulin at clarku.edu
Tue Oct 22 06:23:28 CEST 2019

Gregory Sloop <gregs at sloop.net> wrote:
> I have a EAP-MSCAPv2 WPA-Enterprise setup working so that's good.
> I get warnings about "Outer and inner identities are the same," however.

This only affects user privacy, not the integrity or encryption of the session.
Basically it lets a passive attacker map MAC addresses to usernames, nothing more.

This can only be fixed on the client side, by specifying a different outer ID.
For MS you enable "identity privacy" and type in a fake username like "anon"
and it appends the @realm to that in the outer session.  Other OSes let you
set the whole outer identity.  Good luck getting your users to care :-).

(Unless you are popping the outer identity out of the inner tunnel in a weird way
that causes it to be sent back over the wire.  You may want to do this to let the
NAS show you the real username, but it should be done on the final RADIUS packet
which does not go over the air in PEAP, not on previous packets.  If you are
worried you might be doing this, configure a client with a different outer ID
as described above and then sniff the EAP packets and search them for the
inner username.  It should not appear in plaintext.)

More information about the Freeradius-Users mailing list