locked
IAS - Connection Request Processing Configuration to support "Outer Identity" RRS feed

  • Question

  • Hello,


    In our environment, I am testing the MS IAS as a radius to authenticate the wireless clients. The laptops have IntelProset utilitiy to configure for wireless.The profile is configured with WPA2/AES and PEAP/MS-CHAP-V2.

    The issue I have is MS IAS requires the client username in the "Roaming Identity" filed. It does not like it when there is any other name is used instead of username. This is needed for the first handshake before the TLS tunnel is established. Sending a username in clear text is an issue, and I am trying for a work around. Roaming Identity feature of Intel ProSet allows us to mask the username and this is easily supported on Cisco ACS.

    I know for sure that IAS can be configured with proper Connection Request Processing to allow for the roaming identity to have any name other then username. But unable to find out exactly what that attribute is and how to configure CRP in IAS properly to allow for Outer Identity support.

    Any help in this is very much appreciated...

    Wednesday, March 19, 2008 8:13 PM

Answers

  • IAS takes only outer identity as user identity. In the case of w2k8, CRP based authentication is introduced, in that case we can make inner identity to override outer identity. In w2k3 IAS, it is not possible.

    Tuesday, April 29, 2008 8:52 PM