NPS Server Configuration for EAP identity privacy

Adrian Vesnaver 1 Reputation point
2022-02-02T00:13:08.87+00:00

I've had difficulty finding instructions or a step-by-step guide on how to configure an NPS server to work with anonymous identities when using PEAP authentication. I can find plenty of information on how to configure a client, but not the actual server side of things.

The only information I've been able to locate so far is at https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/ff919512(v=ws.10) which states:

The NPS policy for 802.1X Wireless must be created by using NPS Connection Request Policy. If the NPS policy is created in by using NPS Network Policy, then identity privacy will not work.

Note

EAP identity privacy is provided by certain EAP methods where an empty or an anonymous identity (different from the actual identity) is sent in response to the EAP identity request. PEAP sends the identity twice during the authentication. In the first phase, the identity is sent in plain text and this identity is used for routing purposes, not for client authentication. The real identity – used for authentication - is sent during the second phase of the authentication, within the secure tunnel that is established in the first phase. If Enable Identity Privacy checkbox is selected, the username is replaced with the entry specified in the textbox. For example, assume Enable Identity Privacy is selected and the identity privacy alias anonymous is specified in the textbox. For a user with a real identity alias jdoe@ssss .com, the identity sent in first phase of authentication will be changed to anonymous@ssss .com. The realm portion of the 1st phase identity is not modified as it is used for routing purposes.

I currently have a single Connection Request policy

170352-image.png

I also have a Network Policy to allow EAP-TLS and (P)EAP-MSCHAPv2:
170381-image.png
170382-image.png
170353-image.png

What modifications and additions do I need to make to the Connection Requets and Network policies on the NPS server to allow EAP identity privacy with (P)EAP-MSCHAPv2, whilst also still allowing EAP-TLS to work?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,121 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gary Nebbett 5,721 Reputation points
    2023-06-22T07:26:18.3933333+00:00

    Hello Both,

    Adrian found the only "description" of what must be done to enable identity privacy that I could also find.

    What it means is that the "Override network policy authentication settings" checkbox needs to be ticked on a Connection Request Policy and the EAP authentication configured there.

    User's image

    The reason for this is that NPS uses a pipeline of "stages" to processes requests; there are stages in this pipeline that handle CRP (Connection Request Policy) tasks, RAP (Remote Access Policy or Network Policy) tasks and other tasks (there are about 28 stages). The CRP stage is earlier in the pipeline than the stages that cause problems with identity privacy; the RAP stage is later in the pipeline.

    Let us know if you have any further problems with the configuration (for example, your IoT device might start receiving "Statement of Health" requests embedded in the EAP exchanges).

    Gary

    0 comments