EAP-TTLS Anonymos Outer Identity

[Connor Herring]

Hi Matthew,

Please disregard this as PEBCAK! It seems that my anonymous identity had a
realm in it that the server didn't like so I imagine my Authorise section
isn't setup to handle it. Thank you though.

Kind regards,

Connor

On Tue, Sep 10, 2024 at 12:39 PM Connor Herring <connorrjherring at gmail.com>
wrote:

> Hi Matthew,
>
> I had a hunch it may be client side so thank you for confirming. How would
> you make the server react in the correct way to that though? Or could you
> at least point me in the right direction?
>
> For example if I attempt on Windows I can set both of these things but
> whenever I actually attempt the authentication the server just states that
> the login was incorrect.
>
> Kind regards,
>
> Connor
>
> On Tue, Sep 10, 2024 at 12:32 PM Matthew Newton via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
>
>>
>>
>> On 10/09/2024 12:28, Connor Herring wrote:
>> > If I'm not mistaken this is set on the client side, however, how would I
>> > make it so that the anonymous username is sent as the outer identity and
>> > the real username is then sent as the inner identity? The server is
>> > functioning fine as it is, the TTLS tunnel gets initiated and by the
>> looks
>> > of it the username and password are tunnelled within the tunnel and
>> > authenticated by PAP/MD5.
>>
>> Supplicants generally have two boxes, one to enter "identity" and the
>> other to enter "anonymous identity". Identity goes inside the tunnel
>> (e.g. "user at realm"), anonymous identity (e.g. "@realm") goes in the
>> outer.
>>
>> It's fully set by the client device, it can't be forced from the server.
>> If there is no separate anonymous identity setting, then it can't be
>> changed and both will be the same.
>>
>> --
>> Matthew
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>