Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can I make WCS ignore outer identity and use only the authenticated username?

On our WCS reports, most authenticated users have their correct  user names (which are required for 802.1x authentication) as their  "Client User Name", but a few users show up in the WCS reports as  "anonymous" or with other arbitrary names.

We are running WCS 7.0.172.0 , with a pair of WLC 4402  controllers running 7.0.116.0 . Our WPA2 Enterprise auth uses TTLS/PAP,  (with the SecureW2 supplicant for Windows), and FreeRadius as the  authentication server.

I discovered that the client setup on both Macs and  Windows allows an optional outer identity. If this field is left blank,  WCS uses the actual username for the Client User Name, but if the outer  identity is set, WCS uses it instead.

Any hints on  how to specify that WCS uses only the authenticated RADIUS approved  identity for clients? Can I make it ignore the outer identity (which  each user can set arbitrarily) and only use real user ID? I assume it  has access to this value, since it uses it when the outer is left blank  in the client setup.

Thanks,

Steve

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

I know this is 3 years but...

I know this is 3 years but.........

First of all, some context/bakground. When using PEAP, you effectively use two identities; an outer identity and an inner identity. The outer identity is required by the EAP standard and is sent in the initial EAP-Response frame in clear text (which a casual eavesdropper can see). The inner identity is sent once the encrypted tunnel is created at the end of PEAP Phase 1. As such, the inner identity cannot be seen by any eavesdroppers - only the client and the RADIUS server know what the inner identity is. In PEAP, the outer identity is actually pointless, and does nothing more than tick a box required by the EAP standard. This is why a lot of supplicants (Windows 7, etc) allow you to configure a bogus outer identity such as 'anonymous' to prevent a casual eavesdropper from learning what your actual username is.

To answer your question. The WLC can 'only' see the outer identity of the authentication, because the inner identity is protected by a TLS tunnel between the client and the RADIUS server. If you want WCS and the WLC to display the 'real' users username, you have to make sure the outer identity is set the same as the inner identity (but at a risk that eavesdroppers can learn your users username).

HTH

Darren

3 REPLIES
New Member

I know this is 3 years but...

I know this is 3 years but.........

First of all, some context/bakground. When using PEAP, you effectively use two identities; an outer identity and an inner identity. The outer identity is required by the EAP standard and is sent in the initial EAP-Response frame in clear text (which a casual eavesdropper can see). The inner identity is sent once the encrypted tunnel is created at the end of PEAP Phase 1. As such, the inner identity cannot be seen by any eavesdroppers - only the client and the RADIUS server know what the inner identity is. In PEAP, the outer identity is actually pointless, and does nothing more than tick a box required by the EAP standard. This is why a lot of supplicants (Windows 7, etc) allow you to configure a bogus outer identity such as 'anonymous' to prevent a casual eavesdropper from learning what your actual username is.

To answer your question. The WLC can 'only' see the outer identity of the authentication, because the inner identity is protected by a TLS tunnel between the client and the RADIUS server. If you want WCS and the WLC to display the 'real' users username, you have to make sure the outer identity is set the same as the inner identity (but at a risk that eavesdroppers can learn your users username).

HTH

Darren

New Member

Thanks for the clarification:

Thanks for the clarification: the AP and WLC can't see the inner identity directly. The workaround was to have our RADIUS server return the client name to our WLCs, which is apparently possible, because my sysadmin made it work; as I recall, once he started outputting this data, WCS used it with no special config necessary. But, we swapped wifi vendors when our WLC 4402s reached EOL, so I don't have to deal with WCS any more.

Steve

New Member

Hi again Steve. How did the

Hi again Steve. How did the RADIUS server return the (inner) identity to the WLCs? I'm assuming it was some RADIUS attribute but I cannot see any RADIUS attribute which would do this?

I'd be interested in doing this for some of my own customers if you could provide a little detail on your working solution.

Thanks in advance

Darren

723
Views
0
Helpful
3
Replies
CreatePlease login to create content