IP-Address
Phil Mayers
p.mayers at imperial.ac.uk
Wed Mar 26 16:14:24 CET 2014
On 26/03/14 14:33, Nick Lowe wrote:
> To prevent identity spoofing in other dependent systems and make
> identity privacy explicit, I think it would be a very sensible default
> to make FreeRADIUS mandate that the user portion of the EAP
> outer-identity must be "anonymous" where the EAP outer-identity and
> inner-identity do not resolve to the same discrete user.
Well, the *default config* might mandate that by having a policy. But
fairly obviously it shouldn't be hard-coded anywhere.
FWIW I've seen lots of variations of a generic name as anonymous outer,
not just the empty string or "anonymous".
Trusting the outer ID is always wrong.
More information about the Freeradius-Users
mailing list