Summary

EAP identity privacy is provided by certain EAP methods where an empty or an anonymous identity (different from the actual identity) is sent in response to the EAP identity request. PEAP method sends the identity twice during the authentication. In the 1st phase the identity is sent in plain text and this identity will be used for routing purposes and not for client authentication. The real identity is sent within a secure tunnel (established in the 1st phase) during the 2nd phase of the authentication.

PEAP Configuration

Support for Identity Privacy in Protected EAP (PEAP) method is introduced in Windows 7. The PEAP identity that is sent in 1st phase is configurable in the “Protected EAP Properties” dialog.

PEAP-Identity-Privacy

If the “Enable Identity Privacy” checkbox is checked then the username in the real identity is replaced with the text in the textbox. If the real identity is jdoe@foo.com, “Enable Identity Privacy” checkbox is checked and the textbox contains “anonymous” then the identity sent in 1st phase will be anonymous@foo.com. The realm portion of the 1st phase identity will not be modified as it is used for routing purposes.

Troubleshooting

Network policy server (NPS) is sending EAP-failure immediately after sending the identity response

If the NPS policy is created in the “Network Policies” then identity privacy doesn’t work. The NPS policy has to be created in the “Connection Request Policy”.