Case Summary: 802.1X Wi-Fi 认证失败 — PEAP Identity Privacy 配置错误导致外层身份异常

Product/Service: Windows Client / 802.1X Wireless / NPS (Network Policy Server)

1. 症状 (Symptoms)

• 用户连接企业 Wi-Fi（SSID: CORP-WIFI）时看到 “Cannot connect” 错误
• 客户端 Event Viewer 中 WLAN-AutoConfig 日志（Event ID 12013）记录 802.1x 认证失败：

  Wireless 802.1x authentication failed.
  Network Adapter: Intel(R) Wi-Fi 7 BE201 320MHz
  Interface GUID: {efb90044-ae59-4a40-b8ed-f2b9aa87e462}
  Local MAC Address: AA:BB:CC:11:22:33
  Network SSID: CORP-WIFI
  BSS Type: Infrastructure
  Peer MAC Address: DD:EE:FF:44:55:66
  Identity: host/.contoso.corp
  Reason: Explicit Eap failure received
  Error: 0x40420110
  EAP Root cause String: Network authentication failed due to a problem with the user account
  

• 关键异常：外层身份（Identity）显示为 host/.contoso.corp，格式异常（斜杠后直接跟域名点号，缺少计算机名）

2. 背景 (Background / Environment)

• 客户端：Windows 客户端，使用 Intel Wi-Fi 7 BE201 320MHz 无线网卡
• 认证方式：802.1X Wi-Fi，PEAP-MSCHAPv2
• 认证模式：Computer Authentication（机器认证，使用计算机凭据）
• RADIUS 服务器：Windows NPS (Network Policy Server)
• Wi-Fi 配置部署方式：通过 GPO (Group Policy Object) 下发 Wi-Fi Profile
• Wi-Fi Profile 中 EAP 配置：
  • EnableIdentityPrivacy = true（启用身份隐私保护）
  • anonymousUserName = 空（匿名身份字段未填写）

3. Troubleshooting 过程 (Investigation & Troubleshooting)

1. 检查客户端事件日志
   • 打开 Event Viewer，导航至 Applications and Services Logs → Microsoft → Windows → WLAN-AutoConfig
   • 发现 Event ID 12013 错误，EAP Root cause String 指出 “Network authentication failed due to a problem with the user account”
   • 关键线索：Identity 字段显示 host/.contoso.corp，格式明显异常 —— 正常的机器身份应为 host/COMPUTERNAME.contoso.corp
2. 抓取网络 trace 验证 EAP 外层身份
   • 网络抓包确认客户端发送的 EAP outer identity 为 host/.contoso.corp
   • 该身份格式不合法，NPS 无法在 AD 中找到对应的计算机账户，因此拒绝认证
3. 导出并分析 Wi-Fi Profile 的 EAPConfig XML
   • 使用以下命令导出 Wi-Fi 配置文件：

     netsh wlan show profiles
     netsh wlan export profile name="ProfileName" folder="C:\WiFiProfiles"
     

   • 检查导出的 XML，发现 PEAP 配置中：
     • EnableIdentityPrivacy 设置为 true
     • anonymousUserName 字段为 空（未配置任何值）
4. 确认根因：Identity Privacy 启用但匿名身份为空
   • 当 EnableIdentityPrivacy = true 且 anonymousUserName 为空时，Windows 客户端会将真实的计算机名从外层身份中清除
   • 对于机器认证场景，外层身份格式为 host/<计算机名>.<域名>
   • 清除计算机名后变成 host/.<域名>，即观察到的 host/.contoso.corp
   • NPS 收到这个无效身份后无法匹配任何 AD 计算机账户，认证失败

4. Blockers 与解决 (Blockers & How They Were Resolved)

5. 根因与解决方案 (Root Cause & Resolution)

Root Cause

GPO 下发的 Wi-Fi Profile 中，PEAP 配置启用了 Identity Privacy（EnableIdentityPrivacy = true），但未填写匿名身份（anonymousUserName 为空）。

当 Identity Privacy 启用但匿名身份为空时，Windows 802.1X 客户端会在 EAP 外层身份中清除真实的计算机名，仅保留格式前缀。对于机器认证（Computer Authentication），外层身份从正常的 host/COMPUTERNAME.contoso.corp 变成了异常的 host/.contoso.corp。NPS 无法用这个无效身份在 Active Directory 中找到对应的计算机账户，因此拒绝认证请求。

Resolution

在 GPO 的 Wi-Fi Profile 中修改 PEAP Identity Privacy 配置，根据认证模式选择以下方案之一：

方案 A（推荐）：正确填写匿名身份

根据认证模式填写 anonymousUserName：

• 机器认证 (Computer Authentication)：填写 host/anonymous@contoso.corp
• 用户认证 (User Authentication)：填写 anonymous@contoso.corp

方案 B：禁用 Identity Privacy

如果不需要身份隐私保护功能，将 EnableIdentityPrivacy 设置为 false，客户端将在外层身份中发送真实的计算机名/用户名。

修改后重新应用 GPO，客户端 gpupdate /force 后重新连接 Wi-Fi 即可恢复正常。

6. 经验教训 (Lessons Learned)

• 技术知识：
  • PEAP 的 Identity Privacy 功能用于在 EAP 外层隐藏真实身份（因为外层身份在 TLS 隧道建立前发送，可能被监听）
  • 启用 Identity Privacy 时必须配置匿名身份，否则客户端会发送格式残缺的身份标识
  • 机器认证和用户认证的匿名身份格式不同：机器认证需要 host/ 前缀
• 排查方法：
  • 802.1X 认证失败时，首先检查 Event Viewer 中的 Identity 字段是否正常
  • 使用 netsh wlan export profile 导出 Wi-Fi Profile 的 XML，检查 EAPConfig 中的 EnableIdentityPrivacy 和 anonymousUserName 设置
  • 注意 “user account problem” 错误信息可能是误导，实际问题可能出在客户端发送了无效身份
• 预防措施：
  • 部署 GPO Wi-Fi Profile 前，通过导出 XML 验证 EAP 配置的完整性
  • 如果启用 Identity Privacy，务必在 GPO 模板中同时配置匿名身份
  • 建议在测试环境先验证 Wi-Fi Profile 配置，再大范围部署

7. 参考文档 (References)

• Extensible Authentication Protocol (EAP) for network access in Windows — 详解 Windows EAP 认证方法配置，包括 PEAP Identity Privacy 设置
• Network Policy Server (NPS) Overview — NPS 作为 RADIUS 服务器的功能概述和配置指南

Case Summary: 802.1X Wi-Fi Authentication Failure — PEAP Identity Privacy Misconfiguration Causes Invalid Outer Identity

Product/Service: Windows Client / 802.1X Wireless / NPS (Network Policy Server)

1. Symptoms

• Users see “Cannot connect” when joining the corporate Wi-Fi (SSID: CORP-WIFI)
• Client-side Event Viewer under WLAN-AutoConfig (Event ID 12013) logs 802.1x authentication failure:

  Wireless 802.1x authentication failed.
  Network Adapter: Intel(R) Wi-Fi 7 BE201 320MHz
  Interface GUID: {efb90044-ae59-4a40-b8ed-f2b9aa87e462}
  Local MAC Address: AA:BB:CC:11:22:33
  Network SSID: CORP-WIFI
  BSS Type: Infrastructure
  Peer MAC Address: DD:EE:FF:44:55:66
  Identity: host/.contoso.corp
  Reason: Explicit Eap failure received
  Error: 0x40420110
  EAP Root cause String: Network authentication failed due to a problem with the user account
  

• Key anomaly: The outer Identity shows host/.contoso.corp — a malformed format (slash followed directly by domain dot, with the computer name missing)

2. Background / Environment

• Clients: Windows clients with Intel Wi-Fi 7 BE201 320MHz wireless adapter
• Authentication method: 802.1X Wi-Fi using PEAP-MSCHAPv2
• Authentication mode: Computer Authentication (machine credentials)
• RADIUS server: Windows NPS (Network Policy Server)
• Wi-Fi profile deployment: Deployed via GPO (Group Policy Object)
• EAP configuration in Wi-Fi Profile:
  • EnableIdentityPrivacy = true (identity privacy enabled)
  • anonymousUserName = empty (anonymous identity field not configured)

3. Investigation & Troubleshooting

1. Checked client-side Event Viewer
   • Navigated to Applications and Services Logs → Microsoft → Windows → WLAN-AutoConfig
   • Found Event ID 12013 error with EAP Root cause String: “Network authentication failed due to a problem with the user account”
   • Key clue: The Identity field shows host/.contoso.corp — clearly malformed. Normal machine identity should be host/COMPUTERNAME.contoso.corp
2. Captured network trace to verify EAP outer identity
   • Network trace confirmed the client sends host/.contoso.corp as the EAP outer identity
   • This identity format is invalid — NPS cannot find a corresponding computer account in AD, resulting in authentication rejection
3. Exported and analyzed the Wi-Fi Profile EAPConfig XML
   • Used the following commands to export the Wi-Fi configuration:

     netsh wlan show profiles
     netsh wlan export profile name="ProfileName" folder="C:\WiFiProfiles"
     

   • Examined the exported XML and found in the PEAP configuration:
     • EnableIdentityPrivacy was set to true
     • anonymousUserName was empty (no value configured)
4. Confirmed root cause: Identity Privacy enabled but anonymous identity empty
   • When EnableIdentityPrivacy = true and anonymousUserName is empty, the Windows client strips the real computer name from the outer identity
   • For Computer Authentication, the outer identity format is host/<ComputerName>.<DomainName>
   • With the computer name stripped, it becomes host/.<DomainName>, i.e., host/.contoso.corp
   • NPS receives this invalid identity, cannot match any AD computer account, and rejects the authentication

4. Blockers & How They Were Resolved

5. Root Cause & Resolution

Root Cause

The GPO-deployed Wi-Fi Profile had PEAP Identity Privacy enabled (EnableIdentityPrivacy = true) but the anonymous identity was not configured (anonymousUserName was empty).

When Identity Privacy is enabled with an empty anonymous identity, the Windows 802.1X client strips the real computer name from the EAP outer identity, retaining only the format prefix. For Computer Authentication, the outer identity changed from the expected host/COMPUTERNAME.contoso.corp to the malformed host/.contoso.corp. NPS could not find a matching computer account in Active Directory for this invalid identity and rejected the authentication request.

Resolution

Modify the PEAP Identity Privacy configuration in the GPO Wi-Fi Profile. Choose one of the following approaches based on authentication mode:

Option A (Recommended): Correctly configure the anonymous identity

Set the anonymousUserName based on the authentication mode:

• Computer Authentication: Enter host/anonymous@contoso.corp
• User Authentication: Enter anonymous@contoso.corp

Option B: Disable Identity Privacy

If identity privacy protection is not required, set EnableIdentityPrivacy to false. The client will send the real computer name/username in the outer identity.

After modifying the GPO, run gpupdate /force on client machines and reconnect to Wi-Fi.

6. Lessons Learned

• Technical Knowledge:
  • PEAP Identity Privacy hides the real identity in the EAP outer layer (since the outer identity is sent before the TLS tunnel is established and may be intercepted)
  • When Identity Privacy is enabled, an anonymous identity must be configured; otherwise the client sends a malformed identity
  • The anonymous identity format differs between machine and user authentication: machine authentication requires the host/ prefix
• Troubleshooting Methodology:
  • For 802.1X authentication failures, always check the Identity field in Event Viewer first for anomalies
  • Use netsh wlan export profile to export the Wi-Fi Profile XML and inspect the EnableIdentityPrivacy and anonymousUserName settings in the EAPConfig section
  • Be aware that “user account problem” error messages can be misleading — the actual issue may be the client sending an invalid identity
• Prevention:
  • Before deploying GPO Wi-Fi Profiles, export and validate the EAP configuration XML for completeness
  • When enabling Identity Privacy, always configure the anonymous identity in the GPO template simultaneously
  • Test Wi-Fi Profile configurations in a lab environment before broad deployment

7. References

• Extensible Authentication Protocol (EAP) for network access in Windows — Detailed EAP authentication method configuration in Windows, including PEAP Identity Privacy settings
• Network Policy Server (NPS) Overview — Overview and configuration guide for NPS as a RADIUS server