What is "anonymous identity" in enterprise WPA?
The anonymous identity is used in EAP so that the authenticator can choose the correct authentication server to process the credentials. For example sending anonymous identities of foo@example to Example's RADIUS server.
See here for more information.
The anonymous identity is sent in the clear. Some client systems have a privacy option for the anonymous identity. In this case rather than foo@example being sent in the client response, only @example is sent, protecting the actual identity of the user. All an eavesdropper can see is that they want to authenticate with Example.
What is “anonymous identity” in enterprise WPA?
Nearly all EAP methods in use for 802.1X with WPA/WPA2 wireless authentication utilize an "outer" authentication method simply to establish a TLS tunnel between the client and the authentication server (i.e. a RADIUS server) and an "inner" authentication to provide actual credentials through the secure TLS tunnel.
The "anonymous identity" is used for the outer authentication process and does not need to match the credentials provided in the inner authentication, although if no anonymous identity is provided, the default is to user the inner identity (aka username) for both.
Who get to see this identity ?
This depends. Since the outer authentication is not protected by any sort of encryption anything that can see/process the outer authentication. This list contains some (but not necessarily all) of the things that can possibly see the outer identity:
- Devices near the client that can "hear" and capture the outer authentication
- The NAS (device that forwards traffic associated with the authentication between the client and RADIUS server) which is typically the AP or wireless controller
- The RADIUS server providing authentication (which actually has access to both outer and inner identities)
- Intermediate RADIUS servers if the first RADIUS server proxies the request to other RADIUS servers
- Any device forming the network path between NAS and RADIUS server or between RADIUS servers (when authentications are proxied) - if the path extends outside the locally controlled network, this may include devices on the Internet or controlled by some third party
- Any system that either has access to data on the above or that the above export data to
What is obfuscated by this anonymous identity ?
As already noted, use of the anonymous identity prevents the default action of using the inner identity for the outer identity as well. What exactly is obfuscated will depend on the OS/EAP supplicant and needs of the authentication process in use.
Specifically, you should always be able to obfuscate [at least part of] the username.
For some EAP supplicants, you can substitute both a different username and domain/realm. For others (Window's native EAP supplicant for one), you may only be able to substitute the username.
Any requirements of the authentication process will also determine what can be obfuscated. For example, if the RADIUS server uses the domain/realm in handling the authentication, you may be required to maintain the domain/realm even if your OS allows you to change it. Or, a RADIUS server could use regex matching on the username to determine how to handle the outer authentication (example: usernames containing xxx are handled locally, others are proxied to another RADIUS server), so your anonymous identity would possibly have to maintain at least the part of the username if it needed to match the regex.
From documentation (just an example of configuration):
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
network={
ssid="example"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
identity="[email protected]"
anonymous_identity="[email protected]"
password="foobar"
ca_cert="/etc/cert/ca.pem"
phase2="auth=MD5"
}
It is your identity that is hiden because (your REAL identity) is sent only through an encrypted TLS tunnel.
There are three entries:
- anonymous_identity="[email protected]"
- identity="username"
- password="password"
You can see your anonymous identity represented by the string used in anonymous_identity parameter is sent unencrypted, whereas your real identity (username, password) are sent only encrypted and no one sees them.