I am building an app to automatically configure Windows devices to use wireless networks that use EAP-TLS authentication. I am trying to use the Windows Native Wifi call WlanSetProfileEapXmlUserData with eaptlsuserpropertiesv1 EAPHostUserCredentials schema to select specific certificates for each profile. When I call WlanSetProfileEapXmlUserData with the XML below, the call return indicates success. However, when I try to connect to the wireless network, it fails with the error message Can't connect because you need a certificate to sign in. Contact your IT support person. But I know the wireless profile itself is correct (see the XML below the EAPHostUserCredentials XML) and the certificates are correct for EAP-TLS because I can connect without calling WlanSetProfileEapXmlUserData ... I just have to manually select which certificate to use for the profile, it is not automatic.
How do I use WlanSetProfileEapXmlUserData with eaptlsuserpropertiesv1 schema to programmatically set which client certificate to use with a wireless network profile?
EAPHostUserCredentials XML:<?xml version="1.0" encoding="UTF-16"?> <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </EapMethod> <Credentials> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1"> <Type>13</Type> <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsUserPropertiesV1"> <UserCert>ec 2d f6 33 96 a7 f8 04 b8 e1 72 ea bd b5 10 4f 33 4f 0e eb </UserCert> </EapType> </Eap> </Credentials> </EapHostUserCredentials>
Wireless profile XML:<?xml version="1.0" encoding="UTF-16"?><w:WLANProfile xmlns:w="http://www.microsoft.com/networking/WLAN/profile/v1"> <w:name>Primary</w:name> <w:SSIDConfig> <w:SSID> <w:name>Primary</w:name> </w:SSID> </w:SSIDConfig> <w:connectionType>ESS</w:connectionType> <w:connectionMode>auto</w:connectionMode> <w:autoSwitch>false</w:autoSwitch> <w:MSM> <w:security> <w:authEncryption> <w:authentication>WPA2</w:authentication> <w:encryption>AES</w:encryption> <w:useOneX>true</w:useOneX> </w:authEncryption> <w:preAuthMode>disabled</w:preAuthMode> <o:OneX xmlns:o="http://www.microsoft.com/networking/OneX/v1"> <o:cacheUserData>true</o:cacheUserData> <o:authMode>machineOrUser</o:authMode> <o:EAPConfig> <hc:EapHostConfig xmlns:hc="http://www.microsoft.com/provisioning/EapHostConfig"> <hc:EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </hc:EapMethod> <hc:Config> <be:Eap xmlns:be="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <be:Type>13</be:Type> <etls:EapType xmlns:etls="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"> <etls:CredentialsSource> <etls:CertificateStore> <etls:SimpleCertSelection>true</etls:SimpleCertSelection> </etls:CertificateStore> </etls:CredentialsSource> <etls:ServerValidation> <etls:DisableUserPromptForServerValidation>true</etls:DisableUserPromptForServerValidation> <etls:ServerNames>radius.meraki.com;www.radius.meraki.com</etls:ServerNames> <etls:TrustedRootCA>2b 8f 1b 57 33 0d bb a2 d0 7a 6c 51 f7 0e e9 0d da b9 ad 8e </etls:TrustedRootCA> </etls:ServerValidation> <etls:DifferentUsername>false</etls:DifferentUsername> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName> <etls2:TLSExtensions xmlns:etls2="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"> <etls3:FilteringInfo xmlns:etls3="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"> <etls3:CAHashList Enabled="true"> <etls3:IssuerHash>6c c8 ed 07 72 4b 4d 05 8c 88 58 9b be 94 e2 1f 43 be 56 58 </etls3:IssuerHash> </etls3:CAHashList> </etls3:FilteringInfo> </etls2:TLSExtensions> </etls:EapType> </be:Eap> </hc:Config> </hc:EapHostConfig> </o:EAPConfig> </o:OneX> </w:security> </w:MSM> </w:WLANProfile>