26 Mar
2014
26 Mar
'14
11:14 a.m.
On 26/03/14 14:33, Nick Lowe wrote:
To prevent identity spoofing in other dependent systems and make identity privacy explicit, I think it would be a very sensible default to make FreeRADIUS mandate that the user portion of the EAP outer-identity must be "anonymous" where the EAP outer-identity and inner-identity do not resolve to the same discrete user.
Well, the *default config* might mandate that by having a policy. But fairly obviously it shouldn't be hard-coded anywhere. FWIW I've seen lots of variations of a generic name as anonymous outer, not just the empty string or "anonymous". Trusting the outer ID is always wrong.