topic Re: PEAP outer identity in Network Access Control

PEAP outer identity

Ambuj M — Fri, 21 Feb 2020 18:41:52 GMT

I am new to security and testing few stuff with authentication.

I was doing some captures and noticed that although I am using PEAP but the outer identity still show my actual username. In my understand this should have been "anonymous", am I missing something here ??

I also know that this is a configurable parameter, I am using iPhone 7 iOS11.2.1, anyone know how can I configure outer identity manually for PEAP ??

see enclosed capture.

Re: PEAP outer identity

Mohammed al Baqari — Tue, 19 Dec 2017 03:48:48 GMT

It won't be anonymous. NAD will request for identity to encapsulate in
username Radius attribute and send it to ISE. Based on this ISE will
perform authentication lookup and in your case should match a rule which
allows PEAP authentication.

>From their PEAP outter authentication starts. Before this, ISE needs to
verify what authentication methods are allowed based on initial attributes
received from client and username is one of the mandatory attributes.

If you debug radius authentication on the switch, you will see that
username received from EAP is sent as radius attribute to ISE

Re: PEAP outer identity

Marvin Rhoads — Tue, 19 Dec 2017 06:11:50 GMT

Hi Ambuj,

I believe you are seeing a default behavior on iOS. I agree it is a bit counter-intuitive since the name of the protocol stands for Protected Extensible Authentication Protocol. You are giving up some protection by putting the inner method identity in clear text in the outer method wrapper.

When we setup Anyconnect NAM with PEAP, we have the option in the Anyconnect NAM profile editor of choosing the unprotected (outer) and protected (inner) identity pattern. In that case, the defaults are anonymous and [username] as shown here:

When doing the equivalent setup in iOS there is no option to do that directly. I believe if you use the Apple Configurator 2 program that you can change this setting. I don't have a Mac to try it on but here is the documentation reference:

https://help.apple.com/configurator/mac/2.6/#/apdF985515F-9344-46EE-BAC5-D60ABBF1C1D1

@George Stefanick also has a blog posting with some screen shots here:

http://community.arubanetworks.com/t5/Technology-Blog/Apple-TV-EAP-PEAP-Configuration-Clock-Fix/ba-p/143391

As you can see in his Section 6, we can set the outer identity to any arbitrary value using that tool.

Re: PEAP outer identity

Ambuj M — Tue, 19 Dec 2017 11:11:56 GMT

Thanks Marvin, this helps.

Re: PEAP outer identity

Ambuj M — Tue, 19 Dec 2017 11:20:12 GMT

Thanks for the reply Mohammed, but I am using wireless, don’t you think if that’s the way it works then it’s a vulnerability, anyone can capture this conversation over air and know the actual username. Moreover even if ISE needs to determine allowed protocol, it should still be able to do it with an anonymous username. The only attribute it will be looking for is a username present I believe.

Re: PEAP outer identity

Mohammed al Baqari — Tue, 19 Dec 2017 13:10:08 GMT

You are right. ISE will need make sure that username attribute is present
and at this early stage ISE won't be considering the actual username. I
think Marvin Provided better explanation than myself. For mobile devices
you can tune this using MDM and push common profile to allow phones. For
windows OS, you can configure the supplicant parameters using group policy
(including name anonymous) and push it to users.

Re: PEAP outer identity

Ambuj M — Tue, 19 Dec 2017 15:59:29 GMT

Thanks for clarification