EAP 配置EAP configuration

本文提供了为 VPN 配置文件创建可扩展身份验证协议 (EAP) 配置 XML 的分步指南,其中包括有关 Windows 10 中的 EAP 证书筛选的信息。This article provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including information about EAP certificate filtering in Windows 10.

为 VPN 配置文件创建 EAP 配置 XMLCreate an EAP configuration XML for a VPN profile

若要使用框中附带的 rasphone 工具从桌面获取 EAP 配置:To get the EAP configuration from your desktop using the rasphone tool that is shipped in the box:

  1. 运行rasphone.exe。Run rasphone.exe.

    vpnv2 rasphone

  2. 如果当前没有 VPN 连接,并且看到以下消息,请选择"确定 "。If you don't currently have a VPN connection and you see the following message, select OK.

    vpnv2 云解决方案提供商网络连接

  3. 在向导中,选择 工作区网络In the wizard, select Workplace network.

    vpnv2 云解决方案提供商设置连接

  4. 输入 Internet 地址和连接名称。Enter an Internet address and connection name. 这些可能假,因为它不会影响身份验证参数。These can be fake since it does not impact the authentication parameters.

    vpnv2 云解决方案提供商设置连接 2

  5. 创建假的 VPN 连接。Create a fake VPN connection. 在此处显示的 UI 中,选择"属性 "。In the UI shown here, select Properties.

    vpnv2 csp 选择 nw 连接

  6. 在" 测试属性" 对话框中,选择" 安全性" 选项卡。In the Test Properties dialog, select the Security tab.

    vpnv2 云解决方案提供商测试属性

  7. 在"安全" 选项卡上,选择"使用可扩展身份验证协议** (EAP) "。 **On the Security tab, select Use Extensible Authentication Protocol (EAP).

    vpnv2 云解决方案提供商测试属性2

  8. 从下拉菜单中,选择要配置的 EAP 方法,然后选择" 属性 "以根据需要进行配置。From the drop-down menu, select the EAP method that you want to configure, and then select Properties to configure as needed.

    vpnv2 云解决方案提供商测试属性3vpnv2 云解决方案提供商测试属性4

  9. 切换到 PowerShell,然后使用以下 cmdlet 检索 EAP 配置 XML。Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.

    Get-VpnConnection -Name Test
    

    下面是一个示例输出。Here is an example output.

    Name                  : Test
    ServerAddress         : 1.1.1.1
    AllUserConnection     : False
    Guid                  : {EC87F6C9-8823-416C-B92B-517D592E250F}
    TunnelType            : Automatic
    AuthenticationMethod  : {Eap}
    EncryptionLevel       : Optional
    L2tpIPsecAuth         : Certificate
    UseWinlogonCredential : False
    EapConfigXmlStream    : #document
    ConnectionStatus      : Disconnected
    RememberCredential    : True
    SplitTunneling        : False
    DnsSuffix             :
    IdleDisconnectSeconds : 0
    
    $a = Get-VpnConnection -Name Test
    
    $a.EapConfigXmlStream.InnerXml
    

    下面是一个示例输出。Here is an example output.

    <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.co
    m/provisioning/EapCommon">13</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorTy
    pe xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisi
    oning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="h
    ttp://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.co
    m/provisioning/EapTlsConnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSel
    ection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPr
    omptForServerValidation><ServerNames></ServerNames></ServerValidation><DifferentUsername>false</DifferentUsername><Perform
    ServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation>
    <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName><TLSEx
    tensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"><FilteringInfo xmlns="http://www.micro
    soft.com/provisioning/EapTlsConnectionPropertiesV3"><ClientAuthEKUList Enabled="true" /><AnyPurposeEKUList Enabled="true"
    /></FilteringInfo></TLSExtensions></EapType></Eap></Config></EapHostConfig>
    

    备注

    如果你需要以转义格式传递此 XML, (MDM) 检查移动设备管理。You should check with mobile device management (MDM) vendor if you need to pass this XML in escaped format. 所有 EAP 方法的 XSD 均在框中提供,可在以下位置找到:The XSDs for all EAP methods are shipped in the box and can be found at the following locations:

    • C:\Windows\schemas\EAPHostC:\Windows\schemas\EAPHost
    • C:\Windows\schemas\EAPMethodsC:\Windows\schemas\EAPMethods

EAP 证书筛选EAP certificate filtering

在部署中,如果你在设备上预配了多个证书,并且预配的 Wi-Fi 配置文件没有严格的筛选条件,你可能会在连接到 WLAN 时看到连接失败。In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you might see connection failures when connecting to Wi-Fi. 解决方案是确保预配的Wi-Fi具有严格的筛选条件,以便它仅与一个证书匹配。The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria so that it matches only one certificate.

为 VPN 和 Wi-Fi部署基于证书的 EAP 身份验证的企业可能会遇到多种证书满足默认身份验证条件的情况。Enterprises deploying certificate-based EAP authentication for VPN and Wi-Fi can encounter a situation where there are multiple certificates that meet the default criteria for authentication. 这可能会导致如下问题:This can lead to issues such as:

  • 系统可能会提示用户选择证书。The user might be prompted to select the certificate.
  • 可能会自动选择错误的证书,并会导致身份验证失败。The wrong certificate might be auto-selected and cause an authentication failure.

生产就绪部署必须具有相应的证书详细信息作为要部署的配置文件的一部分。A production ready deployment must have the appropriate certificate details as part of the profile being deployed. 以下信息说明如何创建或更新 EAP 配置 XML,以筛选掉多余的证书,并提供适当的证书进行身份验证。The following information explains how to create or update an EAP configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication.

必须使用环境相关信息更新 EAP XML。EAP XML must be updated with relevant information for your environment. 这可以通过编辑以下 XML 示例或通过使用分步 UI 指南手动完成。This can be done manually by editing the following XML sample, or by using the step-by-step UI guide. 更新 EAP XML 后,请参阅 MDM 中的说明以部署更新的配置,如下所示:After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:

  • 对于 WLAN,请查找当前 WLAN 配置文件 <EAPConfig> XML 的部分。For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML. (这是为 Wi-Fi CSP.) 中的 WLanXml 节点指定的内容。在这些标记中,你将找到完整的 EAP 配置。(This is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags you will find the complete EAP configuration. 将 下的 部分 <EAPConfig> 替换为更新后的 XML,并更新Wi-Fi配置文件。Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. 你可以参考 MDM 的指南,了解如何部署新的 Wi-Fi 配置文件。You can refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
  • 对于 VPN,EAP 配置是 MDM 配置中的单独字段。For VPN, EAP configuration is a separate field in the MDM configuration. 与 MDM 提供程序一起确定并更新相应的字段。Work with your MDM provider to identify and update the appropriate field.

有关 EAP 设置的信息,请参阅 https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_SelctFor information about EAP settings, see https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct.

有关生成 EAP XML 的信息,请参阅 EAP 配置文章。For information about generating an EAP XML, see the EAP configuration article.

有关 EKU (扩展密钥) ,请参阅 http://tools.ietf.org/html/rfc5280#section-4.2.1.12For more information about extended key usage (EKU), see http://tools.ietf.org/html/rfc5280#section-4.2.1.12.

有关向证书添加 EKU 的信息,请参阅 https://technet.microsoft.com/library/cc731792.aspxFor information about adding EKU to a certificate, see https://technet.microsoft.com/library/cc731792.aspx.

以下列表介绍了证书与 EAP 一同使用的先决条件:The following list describes the prerequisites for a certificate to be used with EAP:

  • 证书必须至少具有以下 EKU 属性之一:The certificate must have at least one of the following EKU properties:

    • 客户端身份验证。Client Authentication. 根据 RFC 5280 的定义,这是一个定义明确、值为 1.3.6.1.5.5.7.3.2 的 OID。As defined by RFC 5280, this is a well-defined OID with value 1.3.6.1.5.5.7.3.2.
    • 任何用途。Any Purpose. 这是 Microsoft 定义和发布的 EKU,是值 1.3.6.1.4.1.311.10.12.1 的明确定义的 OID。This is an EKU defined and published by Microsoft, and is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. 包含此 OID 意味着证书可用于任何目的。The inclusion of this OID implies that the certificate can be used for any purpose. 此 EKU 与"所有用途 EKU"的优势在于,仍然可以向证书添加其他非关键或自定义 EKU,以便进行有效筛选。The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering.
    • 所有用途。All Purpose. 如 RFC 5280 所定义,如果 CA 包括 EKU 以满足某些应用程序需求,但不希望限制密钥的使用,则 CA 可以添加 EKU 值 0。As defined by RFC 5280, if a CA includes EKUs to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an EKU value of 0. 具有此类 EKU 的证书可用于所有用途。A certificate with such an EKU can be used for all purposes.
  • 客户端上的用户或计算机证书必须链接至受信任的根 CA。The user or the computer certificate on the client must chain to a trusted root CA.

  • 用户或计算机证书不会使 CryptoAPI 证书存储执行的任何检查失败,并且证书通过远程访问策略中的要求。The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.

  • 用户或计算机证书不会使 IAS (/Radius Server 中指定的任何证书对象标识符检查) 失败。The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.

  • 证书中的 SubjectAltName (SubjectAltName) 扩展包含用户的用户主体 (UPN) 名称。The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.

以下 XML 示例说明了 EAP TLS XML 的属性,包括证书筛选。The following XML sample explains the properties for the EAP TLS XML, including certificate filtering.

备注

对于 PEAP 或 TTLS 配置文件,EAP TLS XML 嵌入到一些特定于 PEAP 或 TTLS 的元素中。For PEAP or TTLS profiles, the EAP TLS XML is embedded within some PEAP-specific or TTLS-specific elements.

<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
 <EapMethod>
  <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
  <!--The above property defines the Method type for EAP, 13 means EAP TLS -->

  <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
  <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
  <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
  <!--The 3 properties above define the method publishers, this is seen primarily in 3rd party Vendor methods.-->
  <!-- For Microsoft EAP TLS the value of the above fields will always be 0 --> 
 </EapMethod>
 <!-- Now that the EAP Method is Defined we will go into the Configuration --> 
 <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
  <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
   <Type>13</Type>
   <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
    <CredentialsSource>
     <!-- Credential Source can be either CertificateStore or SmartCard --> 
     <CertificateStore>
      <SimpleCertSelection>true</SimpleCertSelection>
      <!--SimpleCertSelection automatically selects a cert if there are mutiple identical (Same UPN, Issuer, etc.) certs.-->
      <!--It uses a combination of rules to select the right cert-->
     </CertificateStore>
    </CredentialsSource>
    <ServerValidation>
     <!-- ServerValidation fields allow for checks on whether the server being connected to and the server cert being used are trusted -->
     <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
     <ServerNames/>
    </ServerValidation>
    <DifferentUsername>false</DifferentUsername>
    <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation>
    <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
    <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
     <!-- For filtering the relevant information is below -->
     <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
      <CAHashList Enabled="true">
       <!-- The above implies that you want to filter by Issuer Hash -->
       <IssuerHash>ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
        <!-- Issuing certs thumbprint goes here-->
       </IssuerHash>
       <!-- You can add multiple entries and it will find the list of certs that have at least one of these certs in its chain--> 
      </CAHashList>
      <EKUMapping>
       <!-- This section defines Custom EKUs that you may be adding-->
       <!-- You do not need this section if you do not have custom EKUs -->
       <!-- You can have multiple EKUs defined here and then referenced below as shown -->
       <EKUMap>
        <EKUName>
         <!--Add a friendly Name for an EKU here for example -->ContostoITEKU</EKUName> 
        <EKUOID>
         <!--Add the OID Value your CA adds to the certificate here, for example -->1.3.6.1.4.1.311.42.1.15</EKUOID> 
       </EKUMap>
        <!-- All the EKU Names referenced in the example below must first be defined here
       <EKUMap>
        <EKUName>Example1</EKUName>
        <EKUOID>2.23.133.8.3</EKUOID>
      
       </EKUMap>
       <EKUMap>
        <EKUName>Example2</EKUName>
        <EKUOID>1.3.6.1.4.1.311.20.2.1</EKUOID>
       </EKUMap>
       -->
      </EKUMapping>
      <ClientAuthEKUList Enabled="true">
       <!-- The above implies that you want certs with Client Authentication EKU to be used for authentication -->
       <EKUMapInList>
        <!-- This section implies that the certificate should have the following custom EKUs in addition to the Client Authentication EKU -->
        <EKUName>
         <!--Use the name from the EKUMap Field above-->ContostoITEKU</EKUName> 
       </EKUMapInList>
       <!-- You can have multiple Custom EKUs mapped here, Each additional EKU will be processed with an AND operand -->
       <!-- For example, Client Auth EKU AND ContosoITEKU AND Example1 etc. -->
       <EKUMapInList>
        <EKUName>Example1</EKUName>
       </EKUMapInList>
      </ClientAuthEKUList>
      <AllPurposeEnabled>true</AllPurposeEnabled>
      <!-- Implies that a certificate with the EKU field = 0 will be selected --> 
      <AnyPurposeEKUList Enabled="true"/>
      <!-- Implies that a certificate with the EKU oid Value of 1.3.6.1.4.1.311.10.12.1 will be selected --> 
      <!-- Like for Client Auth you can also add Custom EKU properties with AnyPurposeEKUList (but not with AllPurposeEnabled) -->
      <!-- So here is what the above policy implies. 
      The certificate selected will have
      Issuer Thumbprint = ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      AND
      ((Client Authentication EKU AND ContosoITEKU) OR (AnyPurposeEKU) OR AllPurpose Certificate)
      
      Any certificate(s) that match these criteria will be utilised for authentication
      -->
     </FilteringInfo>
    </TLSExtensions>
   </EapType>
  </Eap>
 </Config>
</EapHostConfig>

备注

EAP TLS XSD 位于 %systemdrive%\Windows\schemas\EAPMethods\eaptlsconnectionpropertiesv3.xsd。The EAP TLS XSD is located at %systemdrive%\Windows\schemas\EAPMethods\eaptlsconnectionpropertiesv3.xsd.

或者,可以使用以下过程创建 EAP 配置 XML:Alternatively, you can use the following procedure to create an EAP configuration XML:

  1. 按照 EAP 配置文章中的步骤 1 至 7 操作。Follow steps 1 through 7 in the EAP configuration article.

  2. "Microsoft VPN SelfHost 属性"对话框中,从下拉菜单中选择 "Microsoft: 智能卡或其他证书" (选择"EAP TLS) "。In the Microsoft VPN SelfHost Properties dialog box, select Microsoft: Smart Card or other Certificate from the drop-down menu (this selects EAP TLS).

    vpn 自主机属性窗口

    备注

    对于 PEAP 或 TTLS,选择适当的方法并继续执行此过程。For PEAP or TTLS, select the appropriate method and continue following this procedure.

  3. 选择 下拉菜单 下方的"属性"按钮。Select the Properties button underneath the drop-down menu.

  4. 在" 智能卡或其他证书属性" 菜单上,选择" 高级" 按钮。On the Smart Card or other Certificate Properties menu, select the Advanced button.

    智能卡或其他证书属性窗口

  5. 在" 配置证书选择 "菜单上,根据需要调整筛选器。On the Configure Certificate Selection menu, adjust the filters as needed.

    配置证书窗口

  6. 选择 " 确定"关闭窗口并返回到主rasphone.exe对话框。Select OK to close the windows and get back to the main rasphone.exe dialog box.

  7. 关闭"rasphone"对话框。Close the rasphone dialog box.

  8. 继续执行步骤 9 中的 EAP 配置文章中的过程,获取具有适当筛选的 EAP TLS 配置文件。Continue following the procedure in the EAP configuration article from step 9 to get an EAP TLS profile with appropriate filtering.

备注

您还可以通过此 UI 设置所有其他适用的 EAP 属性。You can also set all the other applicable EAP Properties through this UI as well. 有关这些属性的含义的指南,可在 Exexensible Authentication Protocol (EAP) Settings for Network Access 一文找到。A guide for what these properties mean can be found in the Extensible Authentication Protocol (EAP) Settings for Network Access article.