Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
7904
Views
15
Helpful
6
Replies

PEAP outer identity

Go to solution
ammahend
VIP Alumni
VIP Alumni

‎12-18-2017 04:22 PM - edited ‎02-21-2020 10:41 AM

I am new to security and testing few stuff with authentication.

I was doing some captures and noticed that although I am using PEAP but the outer identity still show my actual username. In my understand this should have been "anonymous", am I missing something here ??

I also know that this is a configurable parameter, I am using iPhone 7 iOS11.2.1, anyone know how can I configure outer identity manually for PEAP ??

 

see enclosed capture.

-hope this helps-
Labels:
question.png
Preview file
22 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-18-2017 10:11 PM

Hi Ambuj,

 

I believe you are seeing a default behavior on iOS. I agree it is a bit counter-intuitive since the name of the protocol stands for Protected Extensible Authentication Protocol. You are giving up some protection by putting the inner method identity in clear text in the outer method wrapper.

 

When we setup Anyconnect NAM with PEAP, we have the option in the Anyconnect NAM profile editor of choosing the unprotected (outer) and protected (inner) identity pattern. In that case, the defaults are anonymous and [username] as shown here:

 

PEAP outer identity in NAM Profile editor.PNG

 

When doing the equivalent setup in iOS there is no option to do that directly. I believe if you use the Apple Configurator 2 program that you can change this setting. I don't have a Mac to try it on but here is the documentation reference:

 

https://help.apple.com/configurator/mac/2.6/#/apdF985515F-9344-46EE-BAC5-D60ABBF1C1D1

 

@George Stefanick also has a blog posting with some screen shots here:

 

http://community.arubanetworks.com/t5/Technology-Blog/Apple-TV-EAP-PEAP-Configuration-Clock-Fix/ba-p/143391

 

As you can see in his Section 6, we can set the outer identity to any arbitrary value using that tool.

View solution in original post

6 Replies 6

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎12-18-2017 07:48 PM

It won't be anonymous. NAD will request for identity to encapsulate in
username Radius attribute and send it to ISE. Based on this ISE will
perform authentication lookup and in your case should match a rule which
allows PEAP authentication.

>From their PEAP outter authentication starts. Before this, ISE needs to
verify what authentication methods are allowed based on initial attributes
received from client and username is one of the mandatory attributes.

If you debug radius authentication on the switch, you will see that
username received from EAP is sent as radius attribute to ISE

Go to solution
ammahend
VIP Alumni
VIP Alumni
In response to Mohammed al Baqari

‎12-19-2017 03:18 AM - edited ‎12-19-2017 03:20 AM

Thanks for the reply Mohammed, but I am using wireless, don’t you think if that’s the way it works then it’s a vulnerability, anyone can capture this conversation over air and know the actual username. Moreover even if ISE needs to determine allowed protocol, it should still be able to do it with an anonymous username. The only attribute it will be looking for is a username present I believe.

-hope this helps-
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to ammahend

‎12-19-2017 05:10 AM

You are right. ISE will need make sure that username attribute is present
and at this early stage ISE won't be considering the actual username. I
think Marvin Provided better explanation than myself. For mobile devices
you can tune this using MDM and push common profile to allow phones. For
windows OS, you can configure the supplicant parameters using group policy
(including name anonymous) and push it to users.

Go to solution
ammahend
VIP Alumni
VIP Alumni
In response to Mohammed al Baqari

‎12-19-2017 07:59 AM

Thanks for clarification
-hope this helps-
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-18-2017 10:11 PM

Hi Ambuj,

 

I believe you are seeing a default behavior on iOS. I agree it is a bit counter-intuitive since the name of the protocol stands for Protected Extensible Authentication Protocol. You are giving up some protection by putting the inner method identity in clear text in the outer method wrapper.

 

When we setup Anyconnect NAM with PEAP, we have the option in the Anyconnect NAM profile editor of choosing the unprotected (outer) and protected (inner) identity pattern. In that case, the defaults are anonymous and [username] as shown here:

 

PEAP outer identity in NAM Profile editor.PNG

 

When doing the equivalent setup in iOS there is no option to do that directly. I believe if you use the Apple Configurator 2 program that you can change this setting. I don't have a Mac to try it on but here is the documentation reference:

 

https://help.apple.com/configurator/mac/2.6/#/apdF985515F-9344-46EE-BAC5-D60ABBF1C1D1

 

@George Stefanick also has a blog posting with some screen shots here:

 

http://community.arubanetworks.com/t5/Technology-Blog/Apple-TV-EAP-PEAP-Configuration-Clock-Fix/ba-p/143391

 

As you can see in his Section 6, we can set the outer identity to any arbitrary value using that tool.

Go to solution
ammahend
VIP Alumni
VIP Alumni
In response to Marvin Rhoads

‎12-19-2017 03:11 AM

Thanks Marvin, this helps.
-hope this helps-
0 Helpful
Customers Also Viewed These Support Documents
Top