If you're planning on keeping legacy auth, you can modify the supplicant config in your GPO/MDM policy to prompt the user the first time. They can then enter their fully qualified username and password when prompted.
Legacy protocols should never be used without a GPO or MDM enforced supplicant. ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Pratik Mehta <pra...@princeton.edu> Sent: Tuesday, July 27, 2021 12:10:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] PEAP Username format in Domain Joined machines Yes, we are using eduroam. For the Radius server we use Aruba ClearPass. Additional Context: The reason for this ask is to support our faculty/staff that visits other “eduroam” participating universities. We are also using the authentication option of “User auth or computer auth” so when the user is logged out of the machine, the device remains connected to the wireless network via computer authentication. We understand that we can manually modify the profile to unselect “Automatically use my windows logon and password” in the wireless profile and manually configure the user name in the format of USERNAME@FQDN when prompted. However, the issue is we do not have all the faculty/admin staff with admin rights to machine. Thank you Tim and Lynn. Regards, Pratik Mehta From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Heavrin, Lynn Sent: Tuesday, July 27, 2021 12:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PEAP Username format in Domain Joined machines I didn’t see anywhere he mentioned this was for eduroam, but after a google search it seems Princeton uses it for their primary SSID, so yes that is a good point. That’s one big factor in why we’re moving to EAP-TLS and forcing the format instead of trying to accommodate whatever the user decides to type in. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Tim Cappalli <00000194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:00000194c9ecac40-dmarc-requ...@listserv.educause.edu>> Date: Tuesday, July 27, 2021 at 10:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] PEAP Username format in Domain Joined machines I would not recommend that as the device will not be routable on eduroam outside your campus. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Heavrin, Lynn <lheav...@wustl.edu<mailto:lheav...@wustl.edu>> Date: Tuesday, July 27, 2021 at 11:41 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] PEAP Username format in Domain Joined machines Depending on your RADIUS server you could rewrite the identity to whatever you want. Some are more granular than others with what all you can do. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Tim Cappalli <00000194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:00000194c9ecac40-dmarc-requ...@listserv.educause.edu>> Date: Tuesday, July 27, 2021 at 10:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] PEAP Username format in Domain Joined machines No, it cannot. From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Pratik Mehta <pra...@princeton.edu<mailto:pra...@princeton.edu>> Date: Tuesday, July 27, 2021 at 11:14 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] PEAP Username format in Domain Joined machines Hello Everyone, On a Windows 10 device, and when using “Automatically use my windows logon and password” for MSCHAPv2 properties of PEAP authentication, the default username format that Windows uses in NETBIOS_DOMAIN_NAME\USERNAME. Does anyone know if the default format can be to changed to USERNAME@FQDN (UPN format)? This is obviously for a domain joined machine. Thank you for your insights and assistance. Regards, Pratik Mehta ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce0fd4f4a3d304b648b1308d951194717%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629991666351515%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9hEpncqC2Oax4gYM%2B5TMoGploSQKWPWG3RrRFDgSOYY%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce0fd4f4a3d304b648b1308d951194717%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629991666361473%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hz2vofa62XKN7cf7xs8ICiKEOzpcbfvzUJewZ9v5cD0%3D&reserved=0> ________________________________ The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce0fd4f4a3d304b648b1308d951194717%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629991666371428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YDiH20pJVMOSQtnnNkrOAfBAEBsQ3e8zsN3WHiMfP%2Bw%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce0fd4f4a3d304b648b1308d951194717%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629991666371428%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YDiH20pJVMOSQtnnNkrOAfBAEBsQ3e8zsN3WHiMfP%2Bw%3D&reserved=0> ________________________________ The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce0fd4f4a3d304b648b1308d951194717%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629991666381383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t9j0P3ix2XH9%2FqvOfSr4Csw01bsTWIwpJ%2FEEvJ%2FdBlY%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Ce0fd4f4a3d304b648b1308d951194717%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629991666391355%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4cGqUKA2ivwvHBjBHgMMJXPKYCR8EGHVR7s08%2BjXLg4%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community