(RADIATOR) Fwd: EAPAnonymous - Different behaviour for EAP-TTLS and PEAP

Rogier Krieger rkrieger at gmail.com
Sun Apr 15 09:09:41 CDT 2007 

On 4/14/07, Hugh Irvine <hugh at open.com.au> wrote:
> Could you also tell me what outer username you used in all cases as
> well as what client supplicant you used?

In all cases, the supplicant is the PalmOS 802.1x supplicant from
their ESU (Enterprise Security Update). That one is more (easily)
configurable than its WinXP counterpart, in that I can set an outer
and inner identity. If you would like screen shots of the supplicant
setup, let me know.

For the various scenarios (sc1 to sc4), I used the following outer and
inner identities.

# Outer identity        Inner identity
1 iverdahl.net          iverdahl.net
2 iverdahl.net          visitor.iverdahl.net
3 visitor.iverdahl.net  iverdahl.net
4 visitor.iverdahl.net  visitor.iverdahl.net


I expect Radiator to always handle the inner EAP authentication with a
handler based on the realm of the inner identity. For TTLS it does,
for PEAP it seems to select its handler based upon the outer identity
realm. As I mentioned in my original message, I get the following
results for my four scenarios:

# Expected              TTLS result     PEAP result
1 iverdahl.net          OK              OK
2 visitor.iverdahl.net  OK              FAIL (iverdahl.net)
3 iverdahl.net          OK              FAIL (visitor.iverdahl.net)
4 visitor.iverdahl.net  OK              OK

Note: 'Expected' corresponds with the 'Inner identity' in the table
above. It is only repeated for clarity. Results mentioning 'FAIL'
indicate Radiator handled the inner EAP authentication with the realm
mentioned in parentheses instead of the 'expected' realm.

Does the above clarify things? I am getting a suspicion that WinXP's
PEAP would not have this issue, as it does not (to my knowledge) allow
setting a different outer identity and my PalmOS supplicant does allow
such tweaking.

If there is more information that I can provide, please let me know.

Cheers,

Rogier

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list