freerad wrote: So what you're saying is, an attacker could use an outer ID to have freeradius supply different/additional attributes in its reply?
Yes. And that non-attackers would do this too if they were following best practices, because they would be setting their outer usernames to something anonymous. In fact there used to be WIndows WLAN card drivers that put strange values in the outer username with no way to configure it.
I guess I should look into the inner-tunnel virtual server again and disable the users module on the default server.
Probably; it's possible to do it all in the same virtual server, but it involves a lot of manual configuration and the reasons to do it that way have been diminishing as FreeRADIUS development progressed. Once you build the mental model of the NAS<->FR conversation being the outer RADIUS wrapper and the client<->FR conversation being the inner tunnel, emulated into a RADIUS-like request, EAP inner methods make much more sense.