Hi,
To prevent identity spoofing in other dependent systems and make identity privacy explicit, I think it would be a very sensible default to make FreeRADIUS mandate that the user portion of the EAP outer-identity must be "anonymous" where the EAP outer-identity and inner-identity do not resolve to the same discrete user.
if you are the authenticator - ie the end RADIUS server and can see the inner and outer then you *could* do that - if you are just a remote proxy you'd never know...and thus cant enforce. however this is a bad idea...its not about 'spoofing' - its about anonymity. and the correct value should be NULL - ie '@realm.com' - as per the NAI spec. anyway, other technologies such as moonshot have already decreed anonymity for the outerID with blank userID and only realm populated...so if you enforce outer=inner your RADIUS server can never be used with moonshot (GSS-EAP) alan