Two different user-names while using computer authentification with client certificate

Alan DeKok aland at
Wed Jan 29 17:01:25 CET 2020

On Jan 29, 2020, at 10:32 AM, uj2.hahn at wrote:
> I found a setting in Win10 WLAN profile which defines a generic username (RadiusClient) which
> was used for the outer tunnel. The inner tunnel used the real hostname (host/DESKTOP-FLOQN5Q).
> Once I cleared the RadiusClient field both tunnels reported the real hostname.

  That's good.

> The plan is to setup some school owned Win10 clients (in opposite to private devices) in a way
> they can connect to WLAN automatically w/o user/passwd setting. This is already working with
> user-based authentication and client certs.


> As an alternative way I like to try host-based authentication. This would probably work when I add each
> hostname to AD which is a lot of work. Do you think there is a way to use the anonymous outer identity name (RadiusClient) for authorization? In that case each of these clients can have the same
> anonymous outer identity name. This would minimize maintenance for new devices.

  The outer name can be anonymous, and can be the same for many machines.  The rest of the RADIUS packet contains MAC addresses, which lets you distinguish between machines, if you need that.

  Alan DeKok.

More information about the Freeradius-Users mailing list