EAP-TTLS and EAP Identity

herger · March 19, 2021, 1:19pm

Hi all,
I’ve set up my network so that access is authenticated via EAP. when using EAP-TTLS however the EAP-Identity that is shown by ROS is the anonymous one from the outer tunnel (e.g. in the registration table of CAPsMAN). I’ve configured my radius in a way that the real username from the inner tunnel is replied in the Access-Accept message, but that seams to be ignored by ROS.
My questions would be, is this the intended behavior? Do i miss a config option or how would one get the real username shown in the registration table?

Thanks a lot!

pe1chl · March 19, 2021, 1:33pm

As usual in EAP you need to configure the identity two times: as the anonymous identity and in the username field. I always set them the same as I don’t care about “leaking” the identity.
When you don’t want that you need to enter the real identity in the MSCHAPv2 username field only.

herger · March 19, 2021, 1:49pm

Hi,
thanks for your answer, but thats not exactly what i asked for (;
My clients do configure their identity two times. once for the outer and once for the inner tunnel. as i do care about leaking identities, i don’t want to set the real id in the outer tunnel. on the inner tunnel i don’t use (ms)chap, so i cant set any identities in a mschapv2 user field.
please don’t get me wrong, the setup works fine for authentication and setup of e.g. vlans. its just that it would be nice to actually see which user is registered where. also my radius config already figures out the correct username and replies it in the access-accept message. now i’m wondering, how do i get ROS to display this replied username in the registration table.
edit: typo

pe1chl · March 19, 2021, 2:54pm

But that is of course not possible! Your clients do not want their identity to leak, and so you cannot see it.
The AP does not know the true identity of the user because it transports that in a TTLS tunnel to the Radius server.
There is no way for the AP to know the identity, only the Radius server can know that (because it has the other side of the TTLS tunnel).

herger · March 19, 2021, 3:08pm

I have the strong feeling you are not completely reading my posts (;
i have my radius server configured so that it replies the real identity in the access-accept message, so the real identity is known to the NAS.
thanks!

pe1chl · March 19, 2021, 3:12pm

The answer is: yes that is the intended behavior, no there is no such option, because that would not be possible.

herger · March 19, 2021, 3:13pm

thank you pe1chl for your input.
does anyone else has an idea how to solve this?
thanks!

tdw · March 19, 2021, 4:44pm

Sending a username in an Access Accept to the NAS may be supported by some NAS but it is not mandated in the RFCs, see https://tools.ietf.org/html/rfc2865#page-63, and not supported by Mikrotik https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#Access-Accept