We've recently moved a bunch of network switches to use RADIUS authentication instead of local accounts. Currently, we're using EAP-MD5-Challenge as that is all the switches support. However, I recently got a copy of the newest firmware which adds PEAP. I'm certainly not an expert in the various EAP protocols. When I attempt to login to my test switch I see an event on the server for a failed login which shows an account name "anonymous" with a denied access event. From what I can tell, PEAP can use an anonymous outer identity. My assumption is that the server would then strip that to get the inner identity with the actual user name/password. In this case that doesn't seem to be happening. The switch vendor is also looking into this, but I want to be sure I understand how this should work and it would also be nice to know if I should see an event with the actual user instead of anonymous.

