Accounting Packets and Anonymous Identity

Phil Mayers p.mayers at
Sun Feb 5 14:14:16 CET 2017

On 05/02/17 11:12, Brian Candler wrote:

> It can be argued that using the outer identity in accounting packets is
> reasonable behaviour. After all, the whole reason the client chose
> "anonymous" was so that a network sniffer could not see their real
> identity. If the NAS included the real identity in accounting packets,
> then a sniffer would see it.

Sort of. There are really two use-cases AFAICT:

1. "anonymous" in the EAP packet on the wired/wireless LAN to hide your 
identity from passive sniffers outside the network e.g. someone sitting 
in the same coffee shop with a wifi sniffer.

2. "anonymous" in the RADIUS packets and accounting to hide your 
identity from the NAS (the latter particularly in a federated network 
like eduroam where SP and IdP are different entities)

I don't think "anonymous" was ever really intended to protect against 
sniffing of the accounting packets between NAS & radius server - if you 
have attacks at that level, you have bigger problems and should be using 

More information about the Freeradius-Users mailing list