Hi Alan Thanks for your answer, you convinced me that it's not yet the right time to enforce anonymous identities yet. :-) I tried to get my hands on some devices I don't own and did a quick check in the limited time to verify from what I remembered. Am 07.01.2016 um 15:23 schrieb Alan DeKok: [...]
If they don't, they're broken.
So far I haven't yet found a device that didn't have any means of setting an anonymous identity. (I remembered some crippled Android devices a couple of years ago) However on some platforms it's somewhere between difficult and nearly impossible without jumping through several loopholes. Apple iOS 9 still doesn't allow users to set all EAP options, only if configured through a .mobileconfig Windows Phone (8.1): It's so often-seen one, but it exists. Configuring an anonymous identity or CA/common names in the UI on a real Windows Phone I've had my hands on: Not available on the UI, same as with iOS. In contrast to Apple's way I haven't found a compareable documentation how a config file woud look like, but only how it can be provisioned via MS System Center products... (maybe I'm wrong here, so bare with me) [...]
If the vendor doesn't *default* to anonymous outer identities, please also tell the list.
In case of iOS (9.2) for example when it isn't explicitely configured via a .mobileconfig to use an anonymous identity I haven't seen the device not sending the user name in FreeRADIUS debug mode. If it is configured by a .mobileconfig I can see the configured anonymous identity first, then the user name in the inner-tunnel phase. Maybe iOS behaves differently if a realm is appended to the user name, this setup I checkd against verified AD samaccountname without a realm. i.e. eduroam mandates to append a realm from what I found. -- Mathieu