locked
WlanSetProfileEapXmlUserData for EAP-TTLS with inner method EAP-MSCHAPv2(not MSCHAPv2) RRS feed

  • General discussion

  • I have been developing a CLI console app which will interface to the MS WLAN-API to perform the following connections:

    • TLS
    • MS-PEAP(with EAP-MSCHAPv2 and EAP-TLS)
    • EAP-TTLS(with PAP,CHAP,MSCHAP and MSCHAPv2)
    • EAP-TTLS(with EAP-MSCHAPv2 and EAP-TLS)

    I'm in the last stages and could perform most of the above leaving problem with the following method:

         EAP-TTLS with inner-method EAP-MSCHAPv2.

    When we search, the most useful links we come across are the following:

        Access violation in wlanapi WlanSetProfileEapXmlUserData for EAP-TTLS

        Configure EAP-TTLS-PAP user credentials using WlanSetProfileEapXmlUserData

    I  have followed similar approach.

    As cited "The lack of documentation in this area is a known issue that we will work on addressing as resources allow.".

    I'm looking for a sample WLAN-EAP-User-Data schema for the method:

    EAP-TTLS with inner-method EAP-MSCHAPv2.

    It will be passed to WlanSetProfileEapXmlUserData().

    I have used the following connection-property XML obtained via a working EAP-TTLS with EAP-MSCHAPv2 over UI.

    (e.g: netsh wlan export profile name=****).

    This XML will be passed to WlanSetProfile().

    <?xml version="1.0"?>
    <WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
            <name>eap_ttls_eap_mschapv2</name>
            <SSIDConfig>
                    <SSID>
                            <name>eap_ttls_eap_mschapv2</name>
                    </SSID>
                    <nonBroadcast>true</nonBroadcast>
            </SSIDConfig>
            <connectionType>ESS</connectionType>
            <connectionMode>manual</connectionMode>
            <autoSwitch>false</autoSwitch>
            <MSM>
                    <security>
                            <authEncryption>
                                    <authentication>WPA2</authentication>
                                    <encryption>AES</encryption>
                                    <useOneX>true</useOneX>
                            </authEncryption>
                            <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
                                    <cacheUserData>true</cacheUserData>
                                    <authMode>user</authMode>
                                    <EAPConfig>
                                        <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                                            <EapMethod>
                                                <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">21</Type>
                                                <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
                                                <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
                                                <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">311</AuthorId>
                                            </EapMethod>
                                            <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                                                <EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsConnectionPropertiesV1">
                                                    <ServerValidation>
                                                        <ServerNames>
                                                        </ServerNames>
                                                        <TrustedRootCAHash>44 b 23 98 8a 57 86 12 59 6c b ad fd d9 95 e7 42 b c9 8d</TrustedRootCAHash>
                                                        <DisablePrompt>true</DisablePrompt>
                                                    </ServerValidation>
                                                    <Phase2Authentication>
                                                        <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                                                            <EapMethod>
                                                                <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">26</Type>
                                                                <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
                                                                <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
                                                                <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
                                                            </EapMethod>
                                                            <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                                                                <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
                                                                    <Type>26</Type>
                                                                    <EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1">
                                                                        <UseWinLogonCredentials>false</UseWinLogonCredentials>
                                                                    </EapType>
                                                                </Eap>
                                                            </Config>
                                                        </EapHostConfig>
                                                    </Phase2Authentication>
                                                    <Phase1Identity>
                                                        <IdentityPrivacy>false</IdentityPrivacy>
                                                    </Phase1Identity>
                                                </EapTtls>
                                            </Config>
                                        </EapHostConfig>
                                    </EAPConfig>
                            </OneX>
                    </security>
            </MSM>
    </WLANProfile>
    I have tried the following versions of sample WLAN-EAP-User-Data schema:

    1)

    <?xml version="1.0" encoding="utf-8"?>
    <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon">
        <EapMethod>
            <eapCommon:Type>21</eapCommon:Type>
            <eapCommon:AuthorId>311</eapCommon:AuthorId>
        </EapMethod>
        <Credentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials">
            <EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsUserPropertiesV1" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1">
                <eapTtls>
                    <Username>myfreeradiusdomain/myusername</Username>
                    <Password>mypassword</Password>
                </eapTtls>
            </EapTtls>
        </Credentials>
    </EapHostUserCredentials>


    The above schema is supposed to work for non-EAP and does it job for non-EAP. While it doesn't work for EAP-MSCHAPv2.

    There's a reference on one of the referenced post as " The baseEap:Eap type is referenced when EAP is used as the inner authentication type, such as EAP-TLS or EAP-MSCHAPv2 (note that MSCHAPv2 is distinct from EAP-MSCHAPv2)." --
    jovergar, Microsoft.

    2)

    <?xml version="1.0"?>
    <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
        <EapMethod>
        <eapCommon:Type>21</eapCommon:Type>
        <eapCommon:AuthorId>311</eapCommon:AuthorId>
      </EapMethod>
      <Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1" xmlns:EapTtls="http://www.microsoft.com/provisioning/EapTtlsUserPropertiesV1">
        <baseEap:Eap>
          <baseEap:Type>21</baseEap:Type>
    <baseEap:EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsUserPropertiesV1">
         <EapTtls:TtlsCred>
              <Username>test@abc.com</Username>
              <Password>testABC</Password>
    <baseEap:Eap xmlns="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1">
    <Type>21</Type>
      </baseEap:Eap>
            </EapTtls:TtlsCred>
          </baseEap:EapTtls>
        </baseEap:Eap>
      </Credentials>
    </EapHostUserCredentials>


    3) Based on MS-PEAP with EAP-MSCHAPv2

    <?xml version="1.0" ?>
    <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
        <EapMethod>
            <eapCommon:Type>21</eapCommon:Type>
            <eapCommon:AuthorId>0</eapCommon:AuthorId>
        </EapMethod>
        <Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1" xmlns:EapTtls="http://www.microsoft.com/provisioning/EapTtlsUserPropertiesV1" xmlns:MsChapV2="http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1">
            <baseEap:Eap>
                <baseEap:Type>21</baseEap:Type>
                <EapTtls:EapType>
                    <baseEap:Eap>
                        <baseEap:Type>26</baseEap:Type>
                        <MsChapV2:EapType>
                            <MsChapV2:Username>{0}</MsChapV2:Username>
                            <MsChapV2:Password>{1}</MsChapV2:Password>
                        </MsChapV2:EapType>
                    </baseEap:Eap>
                </EapTtls:EapType>
            </baseEap:Eap>
        </Credentials>
    </EapHostUserCredentials>
    

    PS: Windows UI uses WlanSetProfileEapUserData() function and could be manipulated to make connection via CLI. However the BLOB formation for the API is not documented either.

    Thursday, September 17, 2020 5:45 AM

All replies

  • Here is a sample credential file that uses EAP-MSCHAPv2 as the inner method for EAP-TTLS.

    <?xml version="1.0"?>
    <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" 
        xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" 
        xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
        <EapMethod>
            <eapCommon:Type>21</eapCommon:Type>
            <eapCommon:AuthorId>311</eapCommon:AuthorId>
        </EapMethod>
        <Credentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials">
            <EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsUserPropertiesV1">
                <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" 
                    xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" 
                    xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
                    <EapMethod>
                        <eapCommon:Type>26</eapCommon:Type>
                        <eapCommon:AuthorId>0</eapCommon:AuthorId>
                    </EapMethod>
                    <Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1" 
                        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                        xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1" 
                        xmlns:MsPeap="http://www.microsoft.com/provisioning/MsPeapUserPropertiesV1" 
                        xmlns:MsChapV2="http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1">
                        <baseEap:Eap>
                            <baseEap:Type>26</baseEap:Type>
                            <MsChapV2:EapType>
                                <MsChapV2:Username>username</MsChapV2:Username>
                                <MsChapV2:Password>password</MsChapV2:Password>                                
                                <MsChapV2:LogonDomain></MsChapV2:LogonDomain>
                            </MsChapV2:EapType>
                        </baseEap:Eap>
                    </Credentials>
                </EapHostUserCredentials>
            </EapTtls>
        </Credentials>
    </EapHostUserCredentials>


    Friday, September 18, 2020 9:06 PM
  • Thank You Jorge for the quick and prompt interest to answer the query.

    The sample worked well.


    PS: FYI, WlanSetProfileEapXmlUserData() API on a 32bit version of application when ran over 64bit system fails during WlanConnect() for EAP-TTLS, while not for EAP-PEAP with error similar to "Data is invalid".


    Similarly If you could post a sample schema for EAP-TLS based connection it will be helpful. The sample at MS website is throwing error.

    EAP-TLS User Properties

    I believe this will be closing bell for this topic as well as forum.

    Monday, September 21, 2020 12:41 PM