It really sort of depends on what you want others to be able to see. The outer identity is sent in clear text over the air during the initial steps of EAP authentication. In a world where you have a Microsoft or Cisco RADIUS server (IAS or ACS, respectively), and your client operating systems and wireless supplicants are up-to-date, you should be able to use "anonymous" without issues. If you live in a MS Active Directory world, you definitely want to use either domain\userid, or "anonymous".