I'm working in a lab on setting up EAP-MSCHAPv2 to authenticate Wi-Fi clients with FreeRADIUS 3.0. I've gotten it "mostly working," except that I'm trying to prevent the clients from exposing the inner identity during the outer EAP setup.
For most of my testing, I'm using Apple Configurator 2 to push a profile to an iPad that has a client cert+key and the CA cert for the server identity. The profile is set to WPA2 Enterprise and PEAP only. The outer identity is specified in the profile as "anonymous" but I can confirm in the FreeRADIUS logs and the AP logs that when the client attempts its first outer request, it is sending the inner identity username instead.
Has anyone run into this? I understand there was a bug in a much older version of iOS where they sent some 802.1x responses outside of the EAP tunnel once it was established, but Apple has long since fixed that bug years ago from what I've read.
No comments:
Post a Comment