EAP-TLS, anonymous user ids, "WARNING: Outer and inner identities are the same"

Alan DeKok aland at deployingradius.com
Sat Jul 31 14:03:09 CEST 2021

On Jul 30, 2021, at 10:31 PM, Jason Healy <jhealy at logn.net> wrote:
> Newbie EAP-TLS question here; we've been using FreeRADIUS for a long time with PEAP-MSCHAPv2 and are trying to make the switch to pure certificate-based auth.  Here's the warning I'm getting:
> WARNING: Outer and inner identities are the same.  User privacy is compromised.

  You can ignore that for EAP-TLS.

> I couldn't find much about this on the list archives (just one post with an unspecified EAP type and non-anonymous ids).  I understand that this is a problem with tunneled EAP types (because the outer request isn't secure), but I wasn't sure about EAP-TLS; it doesn't really have an inner/outer, right?


> I have a test cert deployed (both real-world client and eapol_test) that is validating on FreeRADIUS.  We're using "@suffieldacademy.org" as the anonymized user id, which I believe is the IETF recommendation (anonymous at suffieldacademy.org being the second choice).
> In the FreeRADIUS config we are ignoring the user id and just relying on the certificate details to authorize the user.  We are updating the User-Name attribute in the "check-eap-tls" virtual server, so the cert details are used in the User-Name that is reported back to the NAS.  However, the warning is still there (before the virtual "check-eap-tls"), so that doesn't seem to be the way to quiet the message.
> So my questions are:
> 1) Is this warning an issue for EAP-TLS, or is it a harmless side effect of my using an anonymous user id in the request?

  It's a side effect of running the virtual server for certificates checks.

  Alan DeKok.

More information about the Freeradius-Users mailing list