Nick Lowe nick.lowe at gmail.com
Wed Mar 26 15:33:35 CET 2014

To prevent identity spoofing in other dependent systems and make
identity privacy explicit, I think it would be a very sensible default
to make FreeRADIUS mandate that the user portion of the EAP
outer-identity must be "anonymous" where the EAP outer-identity and
inner-identity do not resolve to the same discrete user.


On Wed, Mar 26, 2014 at 9:45 PM, Alan DeKok <aland at deployingradius.com> wrote:
> Nick Lowe wrote:
>> 2) Identity spoofing would not be able to occur via the EAP outer
>> identity, given the first requirement.
>   The outer identity is required to be anonymized in many EAP methods.
> So it should be "anonymous", or "anonymous at example.com", or
> "@example.com".  Anything else is probably wrong.
>   FreeRADIUS could arguably look for that, and issue warning messages if
> it wasn't seen.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list