question

AndrewSchmidt-2732 avatar image
0 Votes"
AndrewSchmidt-2732 asked XiaopoYang-MSFT answered

How to properly use WlanSetProfileEapXmlUserData() with eaptlsuserpropertiesv1 to select a client certificate in Wifi EAP-TLS?

I am building an app to automatically configure Windows devices to use wireless networks that use EAP-TLS authentication. I am trying to use the Windows Native Wifi call WlanSetProfileEapXmlUserData with eaptlsuserpropertiesv1 EAPHostUserCredentials schema to select specific certificates for each profile. When I call WlanSetProfileEapXmlUserData with the XML below, the call return indicates success. However, when I try to connect to the wireless network, it fails with the error message Can't connect because you need a certificate to sign in. Contact your IT support person. But I know the wireless profile itself is correct (see the XML below the EAPHostUserCredentials XML) and the certificates are correct for EAP-TLS because I can connect without calling WlanSetProfileEapXmlUserData ... I just have to manually select which certificate to use for the profile, it is not automatic.

How do I use WlanSetProfileEapXmlUserData with eaptlsuserpropertiesv1 schema to programmatically set which client certificate to use with a wireless network profile?

EAPHostUserCredentials XML:
<?xml version="1.0" encoding="UTF-16"?> <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </EapMethod> <Credentials> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1"> <Type>13</Type> <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsUserPropertiesV1"> <UserCert>ec 2d f6 33 96 a7 f8 04 b8 e1 72 ea bd b5 10 4f 33 4f 0e eb </UserCert> </EapType> </Eap> </Credentials> </EapHostUserCredentials>

Wireless profile XML:
<?xml version="1.0" encoding="UTF-16"?><w:WLANProfile xmlns:w="http://www.microsoft.com/networking/WLAN/profile/v1"> <w:name>Primary</w:name> <w:SSIDConfig> <w:SSID> <w:name>Primary</w:name> </w:SSID> </w:SSIDConfig> <w:connectionType>ESS</w:connectionType> <w:connectionMode>auto</w:connectionMode> <w:autoSwitch>false</w:autoSwitch> <w:MSM> <w:security> <w:authEncryption> <w:authentication>WPA2</w:authentication> <w:encryption>AES</w:encryption> <w:useOneX>true</w:useOneX> </w:authEncryption> <w:preAuthMode>disabled</w:preAuthMode> <o:OneX xmlns:o="http://www.microsoft.com/networking/OneX/v1"> <o:cacheUserData>true</o:cacheUserData> <o:authMode>machineOrUser</o:authMode> <o:EAPConfig> <hc:EapHostConfig xmlns:hc="http://www.microsoft.com/provisioning/EapHostConfig"> <hc:EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </hc:EapMethod> <hc:Config> <be:Eap xmlns:be="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <be:Type>13</be:Type> <etls:EapType xmlns:etls="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"> <etls:CredentialsSource> <etls:CertificateStore> <etls:SimpleCertSelection>true</etls:SimpleCertSelection> </etls:CertificateStore> </etls:CredentialsSource> <etls:ServerValidation> <etls:DisableUserPromptForServerValidation>true</etls:DisableUserPromptForServerValidation> <etls:ServerNames>radius.meraki.com;www.radius.meraki.com</etls:ServerNames> <etls:TrustedRootCA>2b 8f 1b 57 33 0d bb a2 d0 7a 6c 51 f7 0e e9 0d da b9 ad 8e </etls:TrustedRootCA> </etls:ServerValidation> <etls:DifferentUsername>false</etls:DifferentUsername> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName> <etls2:TLSExtensions xmlns:etls2="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"> <etls3:FilteringInfo xmlns:etls3="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"> <etls3:CAHashList Enabled="true"> <etls3:IssuerHash>6c c8 ed 07 72 4b 4d 05 8c 88 58 9b be 94 e2 1f 43 be 56 58 </etls3:IssuerHash> </etls3:CAHashList> </etls3:FilteringInfo> </etls2:TLSExtensions> </etls:EapType> </be:Eap> </hc:Config> </hc:EapHostConfig> </o:EAPConfig> </o:OneX> </w:security> </w:MSM> </w:WLANProfile>

c++windows-api
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

anonymous user , I am looking into this issue, any update will post here.

0 Votes 0 ·
XiaopoYang-MSFT avatar image
0 Votes"
XiaopoYang-MSFT answered XiaopoYang-MSFT commented

Perhaps the EAPHostUserCredentials XML has some problem. There is a EAP-TLS User Properties sample, as strEapXmlUserData says.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

But the EAPHostUserCredentials XML I provided was based on the sample in eap-tls-user-properties. The sample in that link does not even work. When I try using that sample directly, WlanSetProfileEapXmlUserData returns with the value 0x80420019 corresponding to EAP_E_EAPHOST_XML_MALFORMED in EapHostError.h. So the sample you provided doesn't even work without modification. I had to revise the XML namespaces from that example to even get WlanSetProfileEapXmlUserData to accept the XML.

If you don't know how to properly use eap-tls-user-properties schema with WlanSetProfileEapXmlUserData, is there someone else at Microsoft who does?




0 Votes 0 ·
XiaopoYang-MSFT avatar image
0 Votes"
XiaopoYang-MSFT answered

After researching, we found that the WlanSetProfileEapXmlUserData() takes parameter strEapXmlUserData as XML data based on the EAPHost User Credentials schema. However, it doesn't accept the EAP-TLS connection properties like CertificateStore and TrustedRootCA elements which are described in eaptlsconnectionpropertiesv1 schema. In order to set the Wlan profile with all of these elements, It‘s needed to call WlanSetProfile API which takes parameter strProfileXml with a whole XML representation of the profile.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.