5

It's a seemingly simple question.

How can I customize the WPA2 Enterprise username in Windows8, per SSID?

Registry hacks are fine with me.

Hover below for background info (not really required to answer the question):

PROBLEM DETAILS:

We run WPA2 Enterprise (dot1x / PEAP) on our BYOD wlan with rotating credentials; one persistent problem I've not been able to solve is how I can get Windows 8 clients on this network.

The problem is that when people try to join with Windows8, Windows always sends the logged-in user's username by default. That's fine if you're going to use it, but our security policy forces us to use a static BYOD WPA2 Enterprise username and password on our Wireless Controller (rotated regularly).

It's not very hard to change this behavior in Windows 7, but Windows 8 introduced a new level of insanityGUI which makes it very hard to find how you customize the wlan's WPA2 Enterprise username.

ENVIRONMENT DETAILS:

1. People are encouraged to bring their own devices and use two factor IPSec VPN through the BYOD WiFi to their company desktop as they like.

2. This means that the logged in username on the BYOD device cannot be predicted... That's part of the reason for static BYOD WiFi credentials.

3. Even though Windows 8 asks for a WPA2 Enterprise username when you join, by default it overrides it and still uses the wrong username

4. The company network and BYOD network are firewalled from each other for all the obvious reasons.

5. Authentication stores are outside the scope of this question.

@EEAA correctly pointed out that parts of the security policy aren't helpful, but I still need to solve the problem. The problem exists regardless of whether we use a static username or rotating username.
Mike Pennington
  • 8,305
  • 9
  • 44
  • 87
  • 3
    This is admittedly not helpful, but that is a ridiculous policy. Changing passwords? Absolutely. Changing usernames? Heck no. – EEAA Dec 28 '16 at 16:44
  • I'm curious what regulatory requirement forced you to do that. – EEAA Dec 28 '16 at 16:47
  • Yeah I agree but the entropy argument obviously won out with some security person... Even if it was a static username, we'd still have the same problem though – Mike Pennington Dec 28 '16 at 16:47
  • Your security person is either horribly incompetent or is trying to needlessly complicate management and auditing to increase their own job security. – EEAA Dec 28 '16 at 16:48
  • 2
    1) are you authing against AD/Radius? 2) are your users not signing in via their AD credentials? – EEAA Dec 28 '16 at 17:31
  • FYI, for those upvoting the AD / RADIUS comment above... please hover over the hidden text in the question. But to save you the trouble, it doesn't matter – Mike Pennington Jan 07 '17 at 14:23
  • It *does* matter, though, as it would make your problem go away. Each user would be signing in with a known and predictable username, and you could configure your NPS queries accordingly. – EEAA Jan 07 '17 at 14:25
  • I must respectfully disagree... it's not helpful to suggest redesigning our entire VPN and BYOD scheme with so little information. We had reasons for doing things this way, and bikeshedding down that path is precisely why it's not relevant to *this question*. All designs have advantages / disadvantages: we made choices you don't like, but you might agree more if I had the energy to unpeel the onion of "whys". I think I have gone extra mile to give some relevant context, but there will always been dissenters – Mike Pennington Jan 07 '17 at 14:45
  • Fair enough, I've said my piece. Good luck getting an answer! – EEAA Jan 07 '17 at 14:46
  • All that aside, the simple question remains... why is it so incredibly hard to find the answer to this problem?? – Mike Pennington Jan 07 '17 at 14:48
  • Probably because it's an edge case that precious few Windows users ever would even consider. – EEAA Jan 07 '17 at 14:49
  • Yet this isn't hard to solve in Window7 / 10 :-) – Mike Pennington Jan 07 '17 at 14:58
  • How do you solve it in windows 7 / 10? I have never really heard of such a thing and if you can tell us how you would solve it windows 7 / 10 it might help. – Anthony Fornito Jan 10 '17 at 14:19

1 Answers1

3

Try this:

  1. Open the Control Panel > Network and Sharing Center
  2. Select your network ID, click on Wireless Properties > Security tab.
  3. Ensure that WPA2 Enterprise is selected as the security type.
  4. Under "Select a network authentication method", select Microsoft: Protected EAP (PEAP).
  5. Next to this drop-down menu, click Settings.
  6. Under "Select Authentication Method", select Secured Password (EAP-MSCHAP v2)
  7. Next to this drop-down menu, click Configure.
  8. Deselect the box that says, "Automatically use my Windows login name and password option (and domain, if any)".
B00TK1D
  • 685
  • 4
  • 18
  • Indeed that worked... I think the step that fixed it was unchecking the server certificate validation. We will need to replicate those instructions into this answer before I will accept it. I can assist since I think it's worth adding screenshots. – Mike Pennington Jan 10 '17 at 16:50
  • @MikePennington - I updated my answer, please take a look and see if it is right. – B00TK1D Jan 10 '17 at 19:16