Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2066
Views
0
Helpful
3
Replies

Can I make WCS ignore outer identity and use only the authenticated username?

Go to solution
stevebohrer
Level 1
Level 1

‎03-02-2012 09:48 AM - edited ‎07-03-2021 09:42 PM

On our WCS reports, most authenticated users have their correct  user names (which are required for 802.1x authentication) as their  "Client User Name", but a few users show up in the WCS reports as  "anonymous" or with other arbitrary names.

We are running WCS 7.0.172.0 , with a pair of WLC 4402  controllers running 7.0.116.0 . Our WPA2 Enterprise auth uses TTLS/PAP,  (with the SecureW2 supplicant for Windows), and FreeRadius as the  authentication server.

I discovered that the client setup on both Macs and  Windows allows an optional outer identity. If this field is left blank,  WCS uses the actual username for the Client User Name, but if the outer  identity is set, WCS uses it instead.

Any hints on  how to specify that WCS uses only the authenticated RADIUS approved  identity for clients? Can I make it ignore the outer identity (which  each user can set arbitrarily) and only use real user ID? I assume it  has access to this value, since it uses it when the outer is left blank  in the client setup.

Thanks,

Steve

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dazza_johnson
Level 5
Level 5

‎10-02-2014 07:13 PM

I know this is 3 years but.........

First of all, some context/bakground. When using PEAP, you effectively use two identities; an outer identity and an inner identity. The outer identity is required by the EAP standard and is sent in the initial EAP-Response frame in clear text (which a casual eavesdropper can see). The inner identity is sent once the encrypted tunnel is created at the end of PEAP Phase 1. As such, the inner identity cannot be seen by any eavesdroppers - only the client and the RADIUS server know what the inner identity is. In PEAP, the outer identity is actually pointless, and does nothing more than tick a box required by the EAP standard. This is why a lot of supplicants (Windows 7, etc) allow you to configure a bogus outer identity such as 'anonymous' to prevent a casual eavesdropper from learning what your actual username is.

To answer your question. The WLC can 'only' see the outer identity of the authentication, because the inner identity is protected by a TLS tunnel between the client and the RADIUS server. If you want WCS and the WLC to display the 'real' users username, you have to make sure the outer identity is set the same as the inner identity (but at a risk that eavesdroppers can learn your users username).

HTH

Darren

View solution in original post

0 Helpful
3 Replies 3

Go to solution
dazza_johnson
Level 5
Level 5

‎10-02-2014 07:13 PM

I know this is 3 years but.........

First of all, some context/bakground. When using PEAP, you effectively use two identities; an outer identity and an inner identity. The outer identity is required by the EAP standard and is sent in the initial EAP-Response frame in clear text (which a casual eavesdropper can see). The inner identity is sent once the encrypted tunnel is created at the end of PEAP Phase 1. As such, the inner identity cannot be seen by any eavesdroppers - only the client and the RADIUS server know what the inner identity is. In PEAP, the outer identity is actually pointless, and does nothing more than tick a box required by the EAP standard. This is why a lot of supplicants (Windows 7, etc) allow you to configure a bogus outer identity such as 'anonymous' to prevent a casual eavesdropper from learning what your actual username is.

To answer your question. The WLC can 'only' see the outer identity of the authentication, because the inner identity is protected by a TLS tunnel between the client and the RADIUS server. If you want WCS and the WLC to display the 'real' users username, you have to make sure the outer identity is set the same as the inner identity (but at a risk that eavesdroppers can learn your users username).

HTH

Darren

0 Helpful

Go to solution
stevebohrer
Level 1
Level 1
In response to dazza_johnson

‎10-03-2014 06:53 AM

Thanks for the clarification: the AP and WLC can't see the inner identity directly. The workaround was to have our RADIUS server return the client name to our WLCs, which is apparently possible, because my sysadmin made it work; as I recall, once he started outputting this data, WCS used it with no special config necessary. But, we swapped wifi vendors when our WLC 4402s reached EOL, so I don't have to deal with WCS any more.

Steve

0 Helpful

Go to solution
dazza_johnson
Level 5
Level 5
In response to stevebohrer

‎10-06-2014 08:18 PM

Hi again Steve. How did the RADIUS server return the (inner) identity to the WLCs? I'm assuming it was some RADIUS attribute but I cannot see any RADIUS attribute which would do this?

I'd be interested in doing this for some of my own customers if you could provide a little detail on your working solution.

Thanks in advance

Darren

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card