Apple devices and anonymous identity EAP-TLS
Alan DeKok
aland at deployingradius.com
Tue Aug 16 20:01:47 UTC 2022
On Aug 16, 2022, at 1:36 PM, work vlpl <thework.vlpl at gmail.com> wrote:
> I need to check the realm of incoming radius requests and I have setup
> with EAP-TLS. Android provide a way to specify the anonymous identity
> and include into it realm value but Apple devices seem to use CN field
> from cert as username and as anonymous username.
The "outer" user name. For EAP-TLS, there's no "anonymous" username. At least until Apple implements TLS 1.3. Which is so far "no".
> So I just want to check with a community that I am correct in my
> observation that Apple devices use CN as an anonymous identity. Maybe
> someone can confirm it.
It uses the CN as the *outer* identity.
> Apple documentation saying next about anonymous identity.
>
> ---
> "Optional. This key is only relevant to TTLS, PEAP, and EAP-FAST.
> This allows the user to hide his or her identity. The userʼs actual
> name appears only inside the encrypted tunnel. For example, it could
> be set to ”anonymous” or ”anon”, or
> ”anon at mycompany.net”.
> It can increase security because an attacker canʼt see the
> authenticating userʼs name in the clear.
> "
> ---
i.e. for EAP-TLS, there is no *anonymous* identity.
RFC 9190 fixes that, and allows for anonymous identity when using EAP-TLS. But so far as I know, Apple doesn't implement it yet.
Alan DeKok.
More information about the Freeradius-Users
mailing list