I have been developing a CLI console app which will interface to the MS WLAN-API to perform the following connections:
- TLS
- MS-PEAP(with EAP-MSCHAPv2 and EAP-TLS)
- EAP-TTLS(with PAP,CHAP,MSCHAP and MSCHAPv2)
- EAP-TTLS(with EAP-MSCHAPv2 and EAP-TLS)
I'm in the last stages and could perform most of the above leaving problem with the following method:
EAP-TTLS with inner-method EAP-MSCHAPv2.
When we search, the most useful links we come across are the following:
Access violation in wlanapi WlanSetProfileEapXmlUserData for EAP-TTLS
Configure EAP-TTLS-PAP
user credentials using WlanSetProfileEapXmlUserData
I have followed similar approach.
As cited "The lack of documentation in this area is a known issue that we will work on addressing as resources allow.".
I'm looking for a sample WLAN-EAP-User-Data schema for the method:
EAP-TTLS with inner-method EAP-MSCHAPv2.
It will be passed to WlanSetProfileEapXmlUserData().
I have used the following connection-property XML obtained via a working EAP-TTLS with EAP-MSCHAPv2 over UI.
(e.g: netsh wlan export profile name=****).
This XML will be passed to WlanSetProfile().
<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>eap_ttls_eap_mschapv2</name>
<SSIDConfig>
<SSID>
<name>eap_ttls_eap_mschapv2</name>
</SSID>
<nonBroadcast>true</nonBroadcast>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>manual</connectionMode>
<autoSwitch>false</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication>WPA2</authentication>
<encryption>AES</encryption>
<useOneX>true</useOneX>
</authEncryption>
<OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
<cacheUserData>true</cacheUserData>
<authMode>user</authMode>
<EAPConfig>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">21</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">311</AuthorId>
</EapMethod>
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsConnectionPropertiesV1">
<ServerValidation>
<ServerNames>
</ServerNames>
<TrustedRootCAHash>44 b 23 98 8a 57 86 12 59 6c b ad fd d9 95 e7 42 b c9 8d</TrustedRootCAHash>
<DisablePrompt>true</DisablePrompt>
</ServerValidation>
<Phase2Authentication>
<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod>
<Type xmlns="http://www.microsoft.com/provisioning/EapCommon">26</Type>
<VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod>
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>26</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1">
<UseWinLogonCredentials>false</UseWinLogonCredentials>
</EapType>
</Eap>
</Config>
</EapHostConfig>
</Phase2Authentication>
<Phase1Identity>
<IdentityPrivacy>false</IdentityPrivacy>
</Phase1Identity>
</EapTtls>
</Config>
</EapHostConfig>
</EAPConfig>
</OneX>
</security>
</MSM>
</WLANProfile>
I have tried the following versions of sample WLAN-EAP-User-Data schema:
1)
<?xml version="1.0" encoding="utf-8"?>
<EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon">
<EapMethod>
<eapCommon:Type>21</eapCommon:Type>
<eapCommon:AuthorId>311</eapCommon:AuthorId>
</EapMethod>
<Credentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials">
<EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsUserPropertiesV1" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1">
<eapTtls>
<Username>myfreeradiusdomain/myusername</Username>
<Password>mypassword</Password>
</eapTtls>
</EapTtls>
</Credentials>
</EapHostUserCredentials>
The above schema is supposed to work for non-EAP and does it job for non-EAP. While it doesn't work for EAP-MSCHAPv2.
There's a reference on one of the referenced post as " The baseEap:Eap type is referenced when EAP is used as the inner authentication type, such as EAP-TLS or EAP-MSCHAPv2 (note that MSCHAPv2 is distinct from EAP-MSCHAPv2)." --
jovergar, Microsoft.
2)
<?xml version="1.0"?>
<EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
<EapMethod>
<eapCommon:Type>21</eapCommon:Type>
<eapCommon:AuthorId>311</eapCommon:AuthorId>
</EapMethod>
<Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1" xmlns:EapTtls="http://www.microsoft.com/provisioning/EapTtlsUserPropertiesV1">
<baseEap:Eap>
<baseEap:Type>21</baseEap:Type>
<baseEap:EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsUserPropertiesV1">
<EapTtls:TtlsCred>
<Username>test@abc.com</Username>
<Password>testABC</Password>
<baseEap:Eap xmlns="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1">
<Type>21</Type>
</baseEap:Eap>
</EapTtls:TtlsCred>
</baseEap:EapTtls>
</baseEap:Eap>
</Credentials>
</EapHostUserCredentials>
3) Based on MS-PEAP with EAP-MSCHAPv2
<?xml version="1.0" ?>
<EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
<EapMethod>
<eapCommon:Type>21</eapCommon:Type>
<eapCommon:AuthorId>0</eapCommon:AuthorId>
</EapMethod>
<Credentials xmlns:eapUser="http://www.microsoft.com/provisioning/EapUserPropertiesV1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1" xmlns:EapTtls="http://www.microsoft.com/provisioning/EapTtlsUserPropertiesV1" xmlns:MsChapV2="http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1">
<baseEap:Eap>
<baseEap:Type>21</baseEap:Type>
<EapTtls:EapType>
<baseEap:Eap>
<baseEap:Type>26</baseEap:Type>
<MsChapV2:EapType>
<MsChapV2:Username>{0}</MsChapV2:Username>
<MsChapV2:Password>{1}</MsChapV2:Password>
</MsChapV2:EapType>
</baseEap:Eap>
</EapTtls:EapType>
</baseEap:Eap>
</Credentials>
</EapHostUserCredentials>
PS: Windows UI uses WlanSetProfileEapUserData() function and could be manipulated to make connection via CLI. However the BLOB formation for the API is not documented either.
