Hi,
Exactly. So I'm intentionally demonstrating the case where they are different; a potential attacker can choose whichever outer identity they like.
DONT trust the outerId. never base policy decisions on the outerID (in our case the policy is in the users file...and your server is using the 'files' module in the outer phase.
Yes I know. An attacker can choose whichever identity they like. Even the stock Android client lets you enter whichever "anonymous" identity you like; no special tools required.
this is all rather known about and old. the outerID is fake. never trust it. (see above)
It's what the default config tells it to do. I was surprised. It does not seem like desirable default behaviour: specifically, an unauthorized user being able to generate RADIUS reply attributes which belong to some other user.
this is down to a sites policy. no server I know of uses the default users file as shipped.....
But I see this behaviour with the current sample configuration which is supplied with freeradius 3.0.12.
and 2.2 and 1.1.3 and 0.9 alan