Two different user-names while using computer authentification with client certificate

Arran Cudbard-Bell a.cudbardb at
Tue Jan 28 19:36:28 CET 2020

> On 28 Jan 2020, at 09:54, Alan DeKok <aland at> wrote:
> On Jan 28, 2020, at 9:36 AM, uj2.hahn at wrote:
>> I have a question just for my understanding.
>> I installed a Radius client certificate (RadiusClient) on a Win10 client and enabled user authentification
>> on this WLAN profile. This all works fine.
>  That's good.
>> Just for my education I switched the client WLAN profile to computer (!) authentification (instead of user),
>> just to see what will happen with freeradius.
>  FreeRADIUS just processes packets it receives.  It does NOT create those packets, or any information in them.
>> Now the User-Name is the real PC hostname "host/DESKTOP-FLOQN5Q".
>> So it seems the outer and the inner tunnel see different User-Names.
>> Is this on intention?
>  Ask Microsoft how their software works.
>  FreeRADIUS just reports on what it sees.  It does not (and can not) cause the Windows system to send different User-Names.

In this instance "host/RadiusClient" comes from the EAP-Identity-Response packet sent by the Windows device just as it's starting 802.1X authentication, and "host/DESKTOP-FLOQN5Q" is the identity received within the TLS protected inner-tunnel of the PEAP protocol.

Looks like the Windows 10 supplicant is implementing identity privacy for host authentication, and that's why the first (unprotected) identity is generic, and the second (protected) identity is specific to the host.

You can likely control the unprotected identity by configuring a specific anonymous outer identity in the supplicant.  That option used to be there for user-based authentication, not sure if it still exists or is configurable for host-based authentication.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

More information about the Freeradius-Users mailing list