Question on anonymous identity

Alan DeKok aland at
Thu Jan 7 15:23:35 CET 2016

On Jan 7, 2016, at 1:11 AM, Mathieu Simon (Lists) <matsimon.lists at> wrote:
> By building 3.0 from source I saw that the upcoming 3.0.11 will be
> actively logging that anonymous identities should be used* to protect
> identities.

  The server will print warning messages in debug mode.  It won't log anything to the log files.

> So, what is the current take: Would you / Do you (recommend) enforcing
> the use of an anonymous identity, resulting in Access-Reject?

  I do not recommend *enforcing* the use of an anonymous outer identities... until such time as you can be sure it will have minimal impact.

  As the author of RFC 7542, I believe that all *new* users should use anonymous outer identities.  There are good reasons for it, and there are few reasons for using non-anonymous outer identities.

> Do most enduser wireless devices finally support setting an anonymous
> identity these days?

  If they don't, they're broken.

  If you find one which doesn't support outer identities, send a message to the list with the vendor / product / etc.  We will publicly shame them.  In most cases, I have contacts at the vendor, and can bug them to fix it.

 If the vendor doesn't *default* to anonymous outer identities, please also tell the list.

  Alan DeKok.

More information about the Freeradius-Users mailing list