Identity Privacy/Anonymous outer identities with PEAP inNAC

  • 0
  • 1
  • Question
  • Updated 4 years ago
  • Answered

is it possible to configure "Identity Privacy"  with PEAP in NAC? This is possible with Microsoft NPS and is an option in common OS like Winows or Android. The key point is that the outer method does not include the "real" username. So if anyone captures the radius traffic the username is not sent in plaintext.

As this is feature is possible with freeRadius I expect it should also be possible with NAC?

Best Regards
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,640 Points 2k badge 2x thumb
Official Response
Michael - if you are proxying to another RADIUS server, you should be able to set it up there. I'm not sure if it's something you can do when terminating on a NAC appliance though. With that said, you have to be careful when doing that if you're planning on using rules based on username. If you have an anonymous outer-identity and are proxying to another server, then I believe we will only see that outer-identity when evaluating the rules. You can however, send back the username in the RADIUS Accept message to have it updated correctly in NAC and be able to use the rules.