Wireless Access

Reply
Occasional Contributor II
Posts: 14
Registered: ‎03-02-2017

How can I see the real authenticated user when an Android user sets an anonymous identity?

We use Aruba AP's with virtual controllers at all of our sites, managed through Airwave.  Users authenticate to a wireless SSID using RADIUS so they can use their computer username/password.

 

This works fine, and we can troubleshoot and identify users based on username within Airwave.  We can also view the IP address assigned to a user and check logs for misuse cases when they arise.

 

For almost all users, this is fine, because the username the user uses for RADIUS authentication is the username that appears in Airwave.  The problem is, if a user sets an Anonymous Identity on an Android tablet, it truly does make that user anonymous, and all I can see, either looking in Airwave or the Virtual Controller web interface, is the name that the user set in Anonymous Identity, not the actual username that user logged in with.

 

Is there any way from within Airwave, or other, to tell what RADIUS username they actually used to authenticate so we can find out who logged in on that device?

 

Thanks!

Guru Elite
Posts: 8,754
Registered: ‎09-08-2010

Re: How can I see the real authenticated user when an Android user sets an anonymous identity?

Just to be clear, Anonymous identity is a standard component of tunneled EAP methods and has nothing to do with Android. Every platform can be configured with an anonymous identity.

The short answer is: it depends on your RADIUS platform.

The general industry answer is that you should never override the anonymous identity for privacy sake.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 58
Registered: ‎04-10-2012

Re: How can I see the real authenticated user when an Android user sets an anonymous identity?


cappalli wrote:
Just to be clear, Anonymous identity is a standard component of tunneled EAP methods and has nothing to do with Android. Every platform can be configured with an anonymous identity.

The short answer is: it depends on your RADIUS platform.

The general industry answer is that you should never override the anonymous identity for privacy sake.

Hi Tim,

 

Would the privacy that is lost only occur if the Controller/Airwave administrators happen to be different than the Radius Administrators (admins that have access to that information) - since the clients are still only sending the Outer Identity in plain text - and the Inner Identity is now being returned directly between a controller and radius server?


**This should probably a separate post - but it relates to anonymous/outer identity**
Something I wanted to verify/opinion from you Tim - in an Aruba Controller/Clearpass Environment - Outer Identiy (Ex: taco) will break a user's ability to utilize Airgroup devices (that are registered/restricted to the Inner Identity (Ex: John) in Clearpass correct? That was one of the scenarios I had tested in preparation of our upcoming deployment - and that appeared to be the case since from the controller's perspective - taco isn't authorized/allowed to discover John's device.

Search Airheads
Showing results for 
Search instead for 
Did you mean: