To prevent identity spoofing in other dependent systems and make identity privacy explicit, I think it would be a very sensible default to make FreeRADIUS mandate that the user portion of the EAP outer-identity must be "anonymous" where the EAP outer-identity and inner-identity do not resolve to the same discrete user. Nick On Wed, Mar 26, 2014 at 9:45 PM, Alan DeKok <aland@deployingradius.com> wrote:
Nick Lowe wrote:
2) Identity spoofing would not be able to occur via the EAP outer identity, given the first requirement.
The outer identity is required to be anonymized in many EAP methods. So it should be "anonymous", or "anonymous@example.com", or "@example.com". Anything else is probably wrong.
FreeRADIUS could arguably look for that, and issue warning messages if it wasn't seen.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html