Julian, We are experiencing quite a bit with Accounting and Identity issues while we run the experimental Federated Wireless Net Auth (FWNA) (more at http://security.internet2.edu/fwna)
Here is what we discovered so far about identity issues with tunneled EAP methods: The supplicant makes the decision on what to do with the outer identity unless the user specifies it: #Mac OS 10.4: if no outer identity is specified, the inner identity is used (if no realm is mentioned, it won't work in a roaming environment) #SecureW2: if no outer identity is specified, secureW2 uses "anonymous" as default (can be changed) #Xsupplicant quoted from Chris Hessing, the Xsupplicant developer: "As for Xsupplicant, you generally configure the outer ID, which is then used as the inner ID if no other ID is specified. So, if you want to use anonymous as the outer, you have to configure it specifically to do it." #I don't know yet how windows does it with its PEAP client? #Odyssey? #Meetinghouse? Also, as Chris Hessing has mentioned many times, Accounting is "broken" in many AP implementations. Caveat! Philippe Hanset University of Tennessee On Thu, 1 Jun 2006, Julian Y. Koh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > How are people handling accounting records for your 802.1X wireless networks? > We're in the process of rolling out EAP-PEAP, and everything is fine in > terms of our RADIUS accounting records from the APs as long as the users > leave the "Outer Identity" field blank - we end up with their real usernames > in the accounting records. However, as soon as they fill in anything for > "Outer Identity" (Mac OS X) or "Roaming Identity" (Intel Wireless utility), > that text is what ends up in our accounting records. Obviously this is > suboptimal in terms of relying on our accounting records for true accounting > of who was where on our network. Is there any way around this? > > FWIW, we're using Cisco 1200 APs with a WLSM/WLSE combo, Steel Belted RADIUS > talking to an Active Directory back end. > > Thanks in advance! > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.0.6 (Build 6060) > Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> > > iQA/AwUBRH9ptA5UB5zJHgFjEQKANgCcDrXkDHD7v+CDJmulrxHcTtVWSdsAn0sj > GgvPA4nr9fM5cY5s0cNVuNly > =TiAV > -----END PGP SIGNATURE----- > > -- > Julian Y. Koh <mailto:[EMAIL PROTECTED]> > Network Engineer <phone:847-467-5780> > Telecommunications and Network Services Northwestern University > PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
