- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2017 04:22 PM - edited 02-21-2020 10:41 AM
I am new to security and testing few stuff with authentication.
I was doing some captures and noticed that although I am using PEAP but the outer identity still show my actual username. In my understand this should have been "anonymous", am I missing something here ??
I also know that this is a configurable parameter, I am using iPhone 7 iOS11.2.1, anyone know how can I configure outer identity manually for PEAP ??
see enclosed capture.
Solved! Go to Solution.
- Labels:
-
Other NAC
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2017 10:11 PM
Hi Ambuj,
I believe you are seeing a default behavior on iOS. I agree it is a bit counter-intuitive since the name of the protocol stands for Protected Extensible Authentication Protocol. You are giving up some protection by putting the inner method identity in clear text in the outer method wrapper.
When we setup Anyconnect NAM with PEAP, we have the option in the Anyconnect NAM profile editor of choosing the unprotected (outer) and protected (inner) identity pattern. In that case, the defaults are anonymous and [username] as shown here:
When doing the equivalent setup in iOS there is no option to do that directly. I believe if you use the Apple Configurator 2 program that you can change this setting. I don't have a Mac to try it on but here is the documentation reference:
https://help.apple.com/configurator/mac/2.6/#/apdF985515F-9344-46EE-BAC5-D60ABBF1C1D1
@George Stefanick also has a blog posting with some screen shots here:
As you can see in his Section 6, we can set the outer identity to any arbitrary value using that tool.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2017 07:48 PM
username Radius attribute and send it to ISE. Based on this ISE will
perform authentication lookup and in your case should match a rule which
allows PEAP authentication.
>From their PEAP outter authentication starts. Before this, ISE needs to
verify what authentication methods are allowed based on initial attributes
received from client and username is one of the mandatory attributes.
If you debug radius authentication on the switch, you will see that
username received from EAP is sent as radius attribute to ISE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2017 03:18 AM - edited 12-19-2017 03:20 AM
Thanks for the reply Mohammed, but I am using wireless, don’t you think if that’s the way it works then it’s a vulnerability, anyone can capture this conversation over air and know the actual username. Moreover even if ISE needs to determine allowed protocol, it should still be able to do it with an anonymous username. The only attribute it will be looking for is a username present I believe.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2017 05:10 AM
and at this early stage ISE won't be considering the actual username. I
think Marvin Provided better explanation than myself. For mobile devices
you can tune this using MDM and push common profile to allow phones. For
windows OS, you can configure the supplicant parameters using group policy
(including name anonymous) and push it to users.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2017 07:59 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2017 10:11 PM
Hi Ambuj,
I believe you are seeing a default behavior on iOS. I agree it is a bit counter-intuitive since the name of the protocol stands for Protected Extensible Authentication Protocol. You are giving up some protection by putting the inner method identity in clear text in the outer method wrapper.
When we setup Anyconnect NAM with PEAP, we have the option in the Anyconnect NAM profile editor of choosing the unprotected (outer) and protected (inner) identity pattern. In that case, the defaults are anonymous and [username] as shown here:
When doing the equivalent setup in iOS there is no option to do that directly. I believe if you use the Apple Configurator 2 program that you can change this setting. I don't have a Mac to try it on but here is the documentation reference:
https://help.apple.com/configurator/mac/2.6/#/apdF985515F-9344-46EE-BAC5-D60ABBF1C1D1
@George Stefanick also has a blog posting with some screen shots here:
As you can see in his Section 6, we can set the outer identity to any arbitrary value using that tool.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2017 03:11 AM
