Perhaps the EAPHostUserCredentials XML has some problem. There is a EAP-TLS User Properties sample, as strEapXmlUserData says.
How to properly use WlanSetProfileEapXmlUserData() with eaptlsuserpropertiesv1 to select a client certificate in Wifi EAP-TLS?
I am building an app to automatically configure Windows devices to use wireless networks that use EAP-TLS authentication. I am trying to use the Windows Native Wifi call WlanSetProfileEapXmlUserData
with eaptlsuserpropertiesv1
EAPHostUserCredentials schema to select specific certificates for each profile. When I call WlanSetProfileEapXmlUserData
with the XML below, the call return indicates success. However, when I try to connect to the wireless network, it fails with the error message Can't connect because you need a certificate to sign in. Contact your IT support person.
But I know the wireless profile itself is correct (see the XML below the EAPHostUserCredentials XML) and the certificates are correct for EAP-TLS because I can connect without calling WlanSetProfileEapXmlUserData
... I just have to manually select which certificate to use for the profile, it is not automatic.
How do I use WlanSetProfileEapXmlUserData
with eaptlsuserpropertiesv1
schema to programmatically set which client certificate to use with a wireless network profile?
EAPHostUserCredentials XML:
<?xml version="1.0" encoding="UTF-16"?> <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </EapMethod> <Credentials> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1"> <Type>13</Type> <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsUserPropertiesV1"> <UserCert>ec 2d f6 33 96 a7 f8 04 b8 e1 72 ea bd b5 10 4f 33 4f 0e eb </UserCert> </EapType> </Eap> </Credentials> </EapHostUserCredentials>
Wireless profile XML:
<?xml version="1.0" encoding="UTF-16"?><w:WLANProfile xmlns:w="http://www.microsoft.com/networking/WLAN/profile/v1"> <w:name>Primary</w:name> <w:SSIDConfig> <w:SSID> <w:name>Primary</w:name> </w:SSID> </w:SSIDConfig> <w:connectionType>ESS</w:connectionType> <w:connectionMode>auto</w:connectionMode> <w:autoSwitch>false</w:autoSwitch> <w:MSM> <w:security> <w:authEncryption> <w:authentication>WPA2</w:authentication> <w:encryption>AES</w:encryption> <w:useOneX>true</w:useOneX> </w:authEncryption> <w:preAuthMode>disabled</w:preAuthMode> <o:OneX xmlns:o="http://www.microsoft.com/networking/OneX/v1"> <o:cacheUserData>true</o:cacheUserData> <o:authMode>machineOrUser</o:authMode> <o:EAPConfig> <hc:EapHostConfig xmlns:hc="http://www.microsoft.com/provisioning/EapHostConfig"> <hc:EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </hc:EapMethod> <hc:Config> <be:Eap xmlns:be="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <be:Type>13</be:Type> <etls:EapType xmlns:etls="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"> <etls:CredentialsSource> <etls:CertificateStore> <etls:SimpleCertSelection>true</etls:SimpleCertSelection> </etls:CertificateStore> </etls:CredentialsSource> <etls:ServerValidation> <etls:DisableUserPromptForServerValidation>true</etls:DisableUserPromptForServerValidation> <etls:ServerNames>radius.meraki.com;www.radius.meraki.com</etls:ServerNames> <etls:TrustedRootCA>2b 8f 1b 57 33 0d bb a2 d0 7a 6c 51 f7 0e e9 0d da b9 ad 8e </etls:TrustedRootCA> </etls:ServerValidation> <etls:DifferentUsername>false</etls:DifferentUsername> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName> <etls2:TLSExtensions xmlns:etls2="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"> <etls3:FilteringInfo xmlns:etls3="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"> <etls3:CAHashList Enabled="true"> <etls3:IssuerHash>6c c8 ed 07 72 4b 4d 05 8c 88 58 9b be 94 e2 1f 43 be 56 58 </etls3:IssuerHash> </etls3:CAHashList> </etls3:FilteringInfo> </etls2:TLSExtensions> </etls:EapType> </be:Eap> </hc:Config> </hc:EapHostConfig> </o:EAPConfig> </o:OneX> </w:security> </w:MSM> </w:WLANProfile>
2 answers
Sort by: Most helpful
-
Xiaopo Yang - MSFT 11,496 Reputation points Microsoft Vendor
2021-08-31T02:58:27.073+00:00 -
Xiaopo Yang - MSFT 11,496 Reputation points Microsoft Vendor
2021-09-22T08:52:41.9+00:00 After researching, we found that the
WlanSetProfileEapXmlUserData()
takes parameterstrEapXmlUserData
as XML data based on the EAPHost User Credentials schema. However, it doesn't accept the EAP-TLS connection properties likeCertificateStore
andTrustedRootCA
elements which are described in eaptlsconnectionpropertiesv1 schema. In order to set the Wlan profile with all of these elements, It‘s needed to call WlanSetProfile API which takes parameterstrProfileXml
with a whole XML representation of the profile.