Windows Clients with SSID {2,3,4 suffix}

Ted Hyde (RSI) thyde at
Fri May 29 17:40:27 CEST 2020

Greets - this isn't specifically a question regarding FR, but I believe 
it has enough relevance to the list, as well as FR in a slightly 
abstracted way (perhaps the solution rather than the situation).

I have been using FR to handle my radius auth, split between networking 
devices and clients for wireless AP for a number of years. The majority 
of my hardware is Cisco, with AP's both as autonomous and LWAPP with a WLC.

I've been seeing it for quite a while now (from Win 10 forward at least) 
- and to a particular end have just "lived with it" however am wondering 
if there has been any solution observed - particularly since there is a 
large distribution of transient clients in the eduroam sector.

The problem? Multiple APs for coverage show mutiple SSIDs in the windows 
wireless network selector. Thus you get MYSSID, MYSSID 2, MYSSID 3 and 
so on in some attempt to rationally allow the user to choose the AP they 
want to connect to. I have been googling for a while now - far too many 
rabbit holes with little solid results - and have come across reasoning 
such as "you don't want to choose the rogue AP, so this alerts you" and 
"this lets you choose the strongest AP in the area" etc. My android 
devices don't do this, the Mac and IOS clients I service don't do this, 
my Linux clients don't do this - everyone but Windows seems to have the 
ability to automatically roam and not present multiple variants with 
suffix numbers in the SSID list. The problem with the multiple SSIDs in 
the list is really that sometimes windows comes back with the "can't 
connect to this network' error, which really impresses people for sure! 

Of course it would be awesome for someone to pipe up and say "here's the 
registry setting and done", but it may not be as simple as that, understood.

So some more configuration info: I do run a mix of autonomous AP's/LWAPP 
APs in an area, which I choose is based upon device count - typically if 
I'm only doing coverage for 3 or 4 APs - the expense and hassle of a WLC 
often isn't warranted. I also have typiclly 3-7 SSIDs (thus mbssid 
options are on) supporting the network; not all SSIDs are present on all 
bands, nor on all APs - however a lab scenario with 3 APs and identical 
configs in a 2.4ghz only setup showed the exact same results, so I am 
not expecting the more advanced config to be a culprit. For encryption, 
I'm typically configured for aes-ccm and tkip. I run multiple models of 
AP's typically with their most recent firmware, and mostly a/b/g/n, 
2.5Ghz/5Ghz with only a very little ac.

However this may be the kicker: some clients don't have the ability to 
run an enterprise auth method - so it's WPA2/PSK for them. Thus I have a 
mix of authentication - the PSK is at the AP itself, and anything 
enterprise (like EAP-TLS) is pushed forward to an FR instance.

Interestingly, the EAP-TLS SSID's don't show the suffixes all the time - 
if I hover with my laptop it takes quite a while for Win10 to start 
showing SSID 2 for them, while anything that was WPA2/PSK is immediately 
shown as multiple SSIDs with suffixes.

Thus the overall question here is less FR and more about picking folks' 
brains, wherein the solution may be provided by FR using a different 
auth key management path than the local WPA2-PSK (although I have never 
attempted such).

But either way, Many thanks,


More information about the Freeradius-Users mailing list