Header Only - DO NOT REMOVE - Extreme Networks

Identity Privacy/Anonymous outer identities with PEAP inNAC

  • 16 April 2014
  • 2 replies

Userlevel 3

is it possible to configure "Identity Privacy" with PEAP in NAC? This is possible with Microsoft NPS and is an option in common OS like Winows or Android. The key point is that the outer method does not include the "real" username. So if anyone captures the radius traffic the username is not sent in plaintext.

As this is feature is possible with freeRadius I expect it should also be possible with NAC?

Best Regards

2 replies

Userlevel 4
Michael - if you are proxying to another RADIUS server, you should be able to set it up there. I'm not sure if it's something you can do when terminating on a NAC appliance though. With that said, you have to be careful when doing that if you're planning on using rules based on username. If you have an anonymous outer-identity and are proxying to another server, then I believe we will only see that outer-identity when evaluating the rules. You can however, send back the username in the RADIUS Accept message to have it updated correctly in NAC and be able to use the rules.
Userlevel 3
Hi Tyler,

thanks for your reply. The possibility to proxy the request to NPS is possible but in my common scenarios the NAC acts as RADIUS endpoint, so it would be intresting if NAC can handle this without RADIUS Proxy.

Best Regards,