[EXT] Problem with Anonymous Identity

Brian Julin BJulin at clarku.edu
Sun Jul 11 03:18:44 CEST 2021



Alan DeKok <aland at deployingradius.com>
> On Jul 10, 2021, at 1:44 PM, Brian Julin <BJulin at clarku.edu> wrote:
>> Just one small additional caveat when getting this to work: don't use a recently upgraded android to do your tests.  Some recent android updates send the outer id as the inner username, totally breaking this feature on those client devices.

 > Arg.  What a horrible thing to do.
 > I'm in the process of updating the standards for TTLS, PEAP, FAST, etc.  I'll add some text to the IETF specification saying that this is a terrible idea.

I think they just plain broke it by accident.  They call the feature "anonymous identity" and then prevent using it for such.  This after torturing everyone running a NAC with mac address randomization for supposedly that very purpose.

>  Every time I think that a vendor can't do something more ludicrous, they go and surprise me.

One other thing they did was put a new dropdown box for OCSP verification right under the box for PEAP certificate validation, so now any instructions that told users not to select "Do not validate" for PEAP certificate validation have to coax any users doing by-hand set-up through setting both boxes appropriately for their environment, because that box also has a "Do not validate" option.




More information about the Freeradius-Users mailing list