PEAP Identity Privacy Support in Windows 7 and Windows Server 2008 R2

When responding to Extensible Authentication Protocol (EAP) identity requests, some EAP methods automatically provide identity privacy by sending an obfuscated identity string that is different from the actual user account identity.

Protected EAP (PEAP) methods, however, handle the identity response differently. PEAP sends user identity information twice during the authentication process. In the 1st phase, the user identity is sent as plain text. The plain-text identity that is sent is used only for routing purposes, and does contain any of the Active Directory-based Access Control List (ACL) client information that is required for client authentication. Then, in the 2nd phase of authentication (after a secure channel is established in the 1st phase), the real identity - which is used for authentication - is sent through the secure channel for authentication.

Some people feel that the transmission of any account information, no matter how limited, creates a potential weakness that might be used for nefarious acts. It is argued by some people that because PEAP passes the user alias in plain text during the preliminary stage of authentication, PEAP exposes information that might be used as a starting point to launch attacks. This is quite possibly true. However, it should be noted that a corporate email alias typically provides a similar level of user information.

To address these concerns, Windows 7 and Windows Server 2008 R2 support a new feature in PEAP which is known as Identity Privacy. You can use the Identity Privacy feature to specify what text is sent in place of the user identity during the 1st phase of PEAP authentication.

Generally speaking, it works like this:

1. As the network administrator of example.com, you enable the Identity Privacy setting in the Protected EAP Properties dialog within the Wireless Network (IEEE 802.11) Policies of Group Policy, and type an anonymous identity of your choice. The anonymous identity string can be almost anything, so you use decide to use “someone.”

2. Next, a user who has an Active Directory account “bob@example” attempts to connect to the example.com 802.1X wireless network using a computer that is running Windows 7, and to which the Wireless Network (IEEE 802.11) Policies apply.

3. The Remote Authentication Dial-in User Service (RADIUS) server responds to the wireless connection request by sending an EAP identity request back to Bob’s computer running Windows 7.

4. Bob’s computer sends an EAP identity response. However, unlike previous PEAP implementations that would send “bob@example” (in plain text), the identity response that is sent is by Bob’s computer is changed to “someone@example”.

The Enable Identity Privacy setting configures client computers running Windows 7 so that they do not send account identity before the client has authenticated with the RADIUS server, and optionally, a location to type an anonymous identity string. If you select Enable Identity Privacy but do not provide an anonymous identity string, the user account field is empty in the PEAP identity response. For example, a PEAP identity response for “alice@example” would send only “@example”.

For computers running Windows 7, you can configure Identity Privacy in the Protected EAP Properties dialogs for 802.1X authenticated wired access, 802.1X authenticated wireless access, and for virtual private network (VPN) connections.

Brit Weston
Technical Writer
The Windows Server Networking Documentation Team