Apple devices and anonymous identity EAP-TLS

[work vlpl]

Hi, I apologize in advance I know that this is not a question about
freeradius server, but here I think I have a better chance to find the
answer.

I need to check the realm of incoming radius requests and I have setup
with EAP-TLS.  Android provide a way to specify the anonymous identity
and include into it realm value but Apple devices seem to use CN field
from cert as username and as anonymous username.

So I just want to check with a community that I am correct in my
observation that Apple devices use CN as an anonymous identity. Maybe
someone can confirm it.

Apple documentation saying next about anonymous identity.

---
"Optional. This key is only relevant to TTLS, PEAP, and EAP-FAST.
 This allows the user to hide his or her identity. The userʼs actual
name appears only inside the encrypted tunnel. For example, it could
be set to ”anonymous” or ”anon”, or
”anon at mycompany.net”.
 It can increase security because an attacker canʼt see the
authenticating userʼs name in the clear.
"
---


Best regards
Vladimir