As an aside to the mechanics of this, if you do this, test your NAS under simulated user load. We found that our Cisco WLC equipment didn't like that and leaked internal resources, which eventually ran out. We were adding some additional information to the username, so we had many more differences between the outer and inner IDs, and even so it took a few days for the problem to come to a head.
Interesting! Thanks for the heads up.
This should be fixed in latest software, but we haven't re-tested that yet.
It also wouldn't hurt to sniff the resulting EAPOL and any associated packets to ensure the NAS hasn't figured out some vendor-specific way to leak that inner identity to the wire/wifi, and of course review your security expectations between the AS and NAS.
Agreed, the main concern for me would be leakage via wireless. I see the main purpose of identity privacy with PKI EAPs being to protect the identity from being trivially snooped by an outsider. With federations, I think it would be perfectly reasonable to expect and require the real identity be returned back to the host institution. (I expect others will, perhaps, disagree here though!? :P) Nick