What we are seeing in implementations in the field is a mix of a) and c), with the behavior in case c) ranging all over the map. In particular, some implementations are treating a null EAP-Response/Identity as a privacy NAI (no userid or realm).Oh boy. Hmm... lets think about this some further. RFC 4282 has another approach to privacy NAI, and one which works better with roaming and other AAA routing arrangements. So I think we should discourage that the use of empty EAP-Response/Identity for privacy purposes.
RFC 4282 allows use of a userid without a realm ("fred"). It also allows use of a realm without a userid ("@example.com"). So as far as I can tell, an NAI without either a userid or realm is allowed as well. One interpretation is that it represents the anonymous NAI of the local realm, and so is equivalent to "@localrealm". Since RFC 4282 discourages use of pseudonyms such as "anonymous" it is not clear what the preferred representation is for "the anonymous user of the local realm". Under this line of thought, the null userid might not only be legal, it might actually be the *preferred* representation!
-- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>