Sure, I do mean only at the EAP terminating RADIUS server. And, yup, agreed a null/empty user portion should be acceptable too. It's actually better in many ways as it cannot collide with any genuine username as anonymous could - but pragmatically I think both null and "anonymous" would be needed by default. Nick On Wed, Mar 26, 2014 at 11:50 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
To prevent identity spoofing in other dependent systems and make identity privacy explicit, I think it would be a very sensible default to make FreeRADIUS mandate that the user portion of the EAP outer-identity must be "anonymous" where the EAP outer-identity and inner-identity do not resolve to the same discrete user.
if you are the authenticator - ie the end RADIUS server and can see the inner and outer then you *could* do that - if you are just a remote proxy you'd never know...and thus cant enforce.
however this is a bad idea...its not about 'spoofing' - its about anonymity. and the correct value should be NULL - ie '@realm.com' - as per the NAI spec.
anyway, other technologies such as moonshot have already decreed anonymity for the outerID with blank userID and only realm populated...so if you enforce outer=inner your RADIUS server can never be used with moonshot (GSS-EAP)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html