Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

How can I see the real authenticated user when an Android user sets an anonymous identity?

This thread has been viewed 5 times

  • 1.  How can I see the real authenticated user when an Android user sets an anonymous identity?

    Posted Jun 22, 2017 05:22 PM

    We use Aruba AP's with virtual controllers at all of our sites, managed through Airwave.  Users authenticate to a wireless SSID using RADIUS so they can use their computer username/password.

     

    This works fine, and we can troubleshoot and identify users based on username within Airwave.  We can also view the IP address assigned to a user and check logs for misuse cases when they arise.

     

    For almost all users, this is fine, because the username the user uses for RADIUS authentication is the username that appears in Airwave.  The problem is, if a user sets an Anonymous Identity on an Android tablet, it truly does make that user anonymous, and all I can see, either looking in Airwave or the Virtual Controller web interface, is the name that the user set in Anonymous Identity, not the actual username that user logged in with.

     

    Is there any way from within Airwave, or other, to tell what RADIUS username they actually used to authenticate so we can find out who logged in on that device?

     

    Thanks!



  • 2.  RE: How can I see the real authenticated user when an Android user sets an anonymous identity?

    EMPLOYEE
    Posted Jun 22, 2017 05:26 PM
    Just to be clear, Anonymous identity is a standard component of tunneled EAP methods and has nothing to do with Android. Every platform can be configured with an anonymous identity.

    The short answer is: it depends on your RADIUS platform.

    The general industry answer is that you should never override the anonymous identity for privacy sake.


  • 3.  RE: How can I see the real authenticated user when an Android user sets an anonymous identity?

    Posted Jun 23, 2017 02:11 PM
    @cappalli wrote:
    Just to be clear, Anonymous identity is a standard component of tunneled EAP methods and has nothing to do with Android. Every platform can be configured with an anonymous identity.

    The short answer is: it depends on your RADIUS platform.

    The general industry answer is that you should never override the anonymous identity for privacy sake.

    Hi Tim,

     

    Would the privacy that is lost only occur if the Controller/Airwave administrators happen to be different than the Radius Administrators (admins that have access to that information) - since the clients are still only sending the Outer Identity in plain text - and the Inner Identity is now being returned directly between a controller and radius server?


    **This should probably a separate post - but it relates to anonymous/outer identity**
    Something I wanted to verify/opinion from you Tim - in an Aruba Controller/Clearpass Environment - Outer Identiy (Ex: taco) will break a user's ability to utilize Airgroup devices (that are registered/restricted to the Inner Identity (Ex: John) in Clearpass correct? That was one of the scenarios I had tested in preparation of our upcoming deployment - and that appeared to be the case since from the controller's perspective - taco isn't authorized/allowed to discover John's device.