I've created an anonymous outer identity service in clearpass and it works well most of the time. The primary reason was to separate the realm requirements of eduroam from forcing clients to enter in the full realm as their usernames.
What I'm seeing is that for clients that don't enter the realm in for their inner identity, sometimes their auth request to clearpass is not being decoded correctly and their Username is being seen as anonymous and they are being enforced as a guest user. If a client has entered their username with the full @realm.edu, I've never seen one fail in this way..
The same client will succeed for 3-4 times, then fail, then succeed again several times, then fail, etc.. Access Tracker logs for successful, and failed attempts are below:
Successful:
Computed Attributes
Authentication:ErrorCode 0
Authentication:Full-Username "Correct USERNAME"
Authentication:Full-Username-Normalized "Correct USERNAME"
Authentication:InnerMethod EAP-MSCHAPv2
Authentication:MacAuth NotApplicable
Authentication:OuterMethod EAP-PEAP
Authentication:Posture Unknown
Authentication:Source ldap.
Authentication:Status User
Authentication:Username "Correct USERNAME"
Authorization:Sources ldap.
Unsuccessful:
Computed Attributes
Authentication:ErrorCode 0
Authentication:Full-Username "Correct USERNAME"
Authentication:MacAuth NotApplicable
Authentication:OuterMethod EAP-PEAP
Authentication:Posture Unknown
Authentication:Source ldap
Authentication:Status User
Authentication:Username anonymous
Authorization:Sources ldap.