On Thu, 2013-04-18 at 16:54 +0100, Nick Lowe wrote: > Agreed, the main concern for me would be leakage via wireless. > > I see the main purpose of identity privacy with PKI EAPs being to > protect the identity from being trivially snooped by an outsider. > > With federations, I think it would be perfectly reasonable to expect > and require the real identity be returned back to the host > institution. (I expect others will, perhaps, disagree here though!? > :P)
I disagree, I return an anonymous override for our realm in Access-Accept to all our outward facing RADIUS servers, because that is transferred in plaintext. I also see no need to know all usernames from everybody who's roaming to us. Regards, Wilco Baan Hofman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html