Eduroam and setting identity privacy in Windows

Jim Potter j.potter at
Fri Feb 8 17:36:06 CET 2019

Hi all,

I've been tasked with addressing our FreeRadius servers for our eduroam
setup here. What I would like to achieve is authentication to happen
invisibly where possible - our laptops would perform machine
authentication, users would log in and would re-authenticate to wireless
invisibly (currently each user needs to set up the wireless connection on
each device the use - this is really bad from a user experience point of
view, especially for students using laptops from a bank). Has anyone else
had any success doing anything like this?

The big problem I have run in to is in fact not really FreeRadius at all,
rather the domain bound windows clients sending their credentials in the
wrong format. Computer authentication comes in the form
<>* and users in the format *DOMAIN\myusername, *not
*myusername at <myusername at>* as required by

I've updated the policy files on FreeRadius to authenticate the above
formats successfully, but if staff are to be able to use their devices on
remote eduroam sites, they need either their username ( at least their
anonymous ID/identity privacy name) to be sent in the format
*someone at
<someone at>*

Has anyone found a way of doing this?

thanks in advance,

Server Engineer
Bath Spa University

More information about the Freeradius-Users mailing list