Question on anonymous identity
Alan DeKok
aland at deployingradius.com
Thu Jan 7 15:23:35 CET 2016
On Jan 7, 2016, at 1:11 AM, Mathieu Simon (Lists) <matsimon.lists at simweb.ch> wrote:
> By building 3.0 from source I saw that the upcoming 3.0.11 will be
> actively logging that anonymous identities should be used* to protect
> identities.
The server will print warning messages in debug mode. It won't log anything to the log files.
> So, what is the current take: Would you / Do you (recommend) enforcing
> the use of an anonymous identity, resulting in Access-Reject?
I do not recommend *enforcing* the use of an anonymous outer identities... until such time as you can be sure it will have minimal impact.
As the author of RFC 7542, I believe that all *new* users should use anonymous outer identities. There are good reasons for it, and there are few reasons for using non-anonymous outer identities.
> Do most enduser wireless devices finally support setting an anonymous
> identity these days?
If they don't, they're broken.
If you find one which doesn't support outer identities, send a message to the list with the vendor / product / etc. We will publicly shame them. In most cases, I have contacts at the vendor, and can bug them to fix it.
If the vendor doesn't *default* to anonymous outer identities, please also tell the list.
Alan DeKok.
More information about the Freeradius-Users
mailing list