...
Mandating or forbidding use of anonymous outer identity
eduroam at large supports anonymous outer identities for user logins. It is at the discretion of eduroam IdPs whether they want to
- mandate that their users use an anonymous outer identity
- forbid their users to use an anonymous outer identity
- be agnostic in that respect
Configuring any one of the three choices is done with only a few lines of configuration. The easiest choice is being agnostic: no configuration is necessary, since there is no link between the inner and outer User-Name attribute in FreeRADIUS.
If you want to mandate the use of anonymous outer identities, the recommended way is using the identity "@realm" (i.e. the part left of the @ sign should be empty). You can enforce that only this outer User-Name is allowed to proceed to EAP authentication by adding the following to the authenticate section:
| Code Block |
|---|
if ( User-Name != "@realm" ) {
Auth-Type := Reject
}
|
More information
Eduroam-in-a-box web configuration tool:http://eduroam.sourceforge.net