deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-21 17:57:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update EAP and WiFi CSP documentation

Browse Source
This commit is contained in:
Sam Yun 2025-05-13 23:36:04 -07:00
parent 6f40d5aada
commit ada61ec6eb
2 changed files with 59 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
windows/client-management/mdm/eap-configuration.md
View File

@ -1,12 +1,12 @@
--- ---
title: EAP configuration title: EAP configuration
description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10. description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows.
ms.date: 06/26/2017 ms.date: 06/26/2017
--- ---
# EAP configuration # EAP configuration
This article provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including information about EAP certificate filtering in Windows 10. This article provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including information about EAP certificate filtering in Windows. While the screenshots are specifically for VPN, the EAP portions are applicable to Wi-Fi and Wired EAP profiles as well. For more information, see [Configure EAP profiles and settings in Windows](/windows-server/networking/technologies/extensible-authentication-protocol/configure-eap-profiles).
## Create an EAP configuration XML for a VPN profile ## Create an EAP configuration XML for a VPN profile
@ -292,6 +292,8 @@ Alternatively, you can use the following procedure to create an EAP configuratio
> [!NOTE] > [!NOTE]
> You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) article. > You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access) article.
## Related topics ## Related articles
[Configuration service provider reference](index.yml) * [Configuration service provider reference](index.yml)
* [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access)
* [Configure EAP profiles and settings in Windows](/windows-server/networking/technologies/extensible-authentication-protocol/configure-eap-profiles)

82
windows/client-management/mdm/wifi-csp.md
View File

@ -138,7 +138,7 @@ Specifies the Profile Name of the Wi-Fi network (32 bytes maximum) to create, co
<!-- Device-Profile-{SSID}-ProfileSource-Applicability-Begin --> <!-- Device-Profile-{SSID}-ProfileSource-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later | | ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- Device-Profile-{SSID}-ProfileSource-Applicability-End --> <!-- Device-Profile-{SSID}-ProfileSource-Applicability-End -->
<!-- Device-Profile-{SSID}-ProfileSource-OmaUri-Begin --> <!-- Device-Profile-{SSID}-ProfileSource-OmaUri-Begin -->
@ -390,7 +390,7 @@ The profile XML must be escaped, as shown in the examples below.
If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](/windows/win32/nativewifi/wpa2-personal-profile-sample). If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](/windows/win32/nativewifi/wpa2-personal-profile-sample).
> [!NOTE] > [!NOTE]
> If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](./eap-configuration.md). > If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the [EapHostConfig](/windows/win32/eaphost/eaphostconfigschema-eaphostconfig-element) portion of the WlanXml ([WLANProfile](/windows/win32/nativewifi/wlan-profileschema-elements) > [MSM](/windows/win32/nativewifi/wlan-profileschema-msm-wlanprofile-element) > [security](/windows/win32/nativewifi/wlan-profileschema-security-msm-element) > [OneX](/windows/win32/nativewifi/onexschema-onex-element) > EAPConfig). For more information, see [EAP configuration](./eap-configuration.md) and [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access). For an example, see [WPA2-Enterprise with TLS profile sample](/windows/win32/nativewifi/wpa2-enterprise-with-tls-profile-sample).
<!-- Device-Profile-{SSID}-WlanXml-Editable-End --> <!-- Device-Profile-{SSID}-WlanXml-Editable-End -->
<!-- Device-Profile-{SSID}-WlanXml-DFProperties-Begin --> <!-- Device-Profile-{SSID}-WlanXml-DFProperties-Begin -->
@ -404,6 +404,7 @@ If it exists in the blob, the **keyType** and **protected** elements must come b
<!-- Device-Profile-{SSID}-WlanXml-Examples-Begin --> <!-- Device-Profile-{SSID}-WlanXml-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. --> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
See [Add a network](#add-a-network) for examples.
<!-- Device-Profile-{SSID}-WlanXml-Examples-End --> <!-- Device-Profile-{SSID}-WlanXml-Examples-End -->
<!-- Device-Profile-{SSID}-WlanXml-End --> <!-- Device-Profile-{SSID}-WlanXml-End -->
@ -494,7 +495,7 @@ See [Device/Profile/{SSID}](#deviceprofilessid) for more information.
<!-- User-Profile-{SSID}-ProfileSource-Applicability-Begin --> <!-- User-Profile-{SSID}-ProfileSource-Applicability-Begin -->
| Scope | Editions | Applicable OS | | Scope | Editions | Applicable OS |
|:--|:--|:--| |:--|:--|:--|
| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later | | ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
<!-- User-Profile-{SSID}-ProfileSource-Applicability-End --> <!-- User-Profile-{SSID}-ProfileSource-Applicability-End -->
<!-- User-Profile-{SSID}-ProfileSource-OmaUri-Begin --> <!-- User-Profile-{SSID}-ProfileSource-OmaUri-Begin -->
@ -768,7 +769,7 @@ These XML examples show how to perform various tasks using OMA DM.
### Add a network ### Add a network
The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork'. The following example shows how to add a WPA2-Enterprise network with SSID and profile name `MyNetwork` that authenticates with PEAP-MSCHAPv2.
```xml ```xml
<SyncML xmlns="SYNCML:SYNCML1.2"> <SyncML xmlns="SYNCML:SYNCML1.2">
@ -784,7 +785,7 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwor
<Meta> <Meta>
<Format xmlns="syncml:metinf">chr</Format> <Format xmlns="syncml:metinf">chr</Format>
</Meta> </Meta>
<Data><?xml version="1.0"?><WLANProfile xmlns="http://microsoft.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><hex>412D4D534654574C414E</hex><name>MyNetwork</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><OneX xmlns="http://microsoft.com/networking/OneX/v1"><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile> </Data> <Data><![CDATA[<?xml version="1.0"?><WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><hex>4d794e6574776f726b</hex><name>MyNetwork</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><OneX xmlns="http://www.microsoft.com/networking/OneX/v1"><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile>]]></Data>
</Item> </Item>
</Add> </Add>
</Atomic> </Atomic>
@ -793,6 +794,49 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwor
</SyncML> </SyncML>
``` ```
The following example shows how to add a WPA3-Enterprise network with profile name `My Network` and SSID `MySSID` that authenticates with EAP-TLS.
> [!IMPORTANT]
> Notice how the space is %-escaped in the `LocURI` and unescaped in the `WLANProfile` > `name`.
```xml
<Atomic>
<CmdID>300</CmdID>
<Add>
<CmdID>301</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/WiFi/Profile/My%20Network/WlanXml</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data><![CDATA[<?xml version="1.0"?><WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>My Network</name><SSIDConfig><SSID><name>MySSID</name></SSID></SSIDConfig><connectionType>ESS</connectionType><connectionMode>auto</connectionMode><MSM><security><authEncryption><authentication>WPA3ENT</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><PMKCacheMode>enabled</PMKCacheMode><PMKCacheTTL>720</PMKCacheTTL><PMKCacheSize>128</PMKCacheSize><preAuthMode>disabled</preAuthMode><OneX xmlns="http://www.microsoft.com/networking/OneX/v1"><authMode>machine</authMode><EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames><TrustedRootCA>00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff 00 11 22 33</TrustedRootCA></ServerValidation><DifferentUsername>false</DifferentUsername><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName><TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"><FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"><AllPurposeEnabled>false</AllPurposeEnabled><CAHashList Enabled="true"><IssuerHash>00112233445566778899aabbccddeeff00112233</IssuerHash></CAHashList><EKUMapping><EKUMap><EKUName>Client Authentication</EKUName><EKUOID>1.3.6.1.5.5.7.3.2</EKUOID></EKUMap></EKUMapping><ClientAuthEKUList Enabled="true"><EKUMapInList><EKUName>Client Authentication</EKUName></EKUMapInList></ClientAuthEKUList></FilteringInfo></TLSExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile>]]></Data>
</Item>
</Add>
</Atomic>
```
The following example shows how to add a WPA3-Personal (transition mode) network with profile name and SSID `MyNetwork` that includes the passphrase `TestPassword1!`.
```xml
<Atomic>
<CmdID>300</CmdID>
<Add>
<CmdID>301</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data><![CDATA[<?xml version="1.0"?><WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><name>MyNetwork</name></SSID></SSIDConfig><connectionType>ESS</connectionType><connectionMode>auto</connectionMode><MSM><security><authEncryption><authentication>WPA3SAE</authentication><encryption>AES</encryption><useOneX>false</useOneX><transitionMode xmlns="http://www.microsoft.com/networking/WLAN/profile/v4">true</transitionMode></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>TestPassword1!</keyMaterial></sharedKey></security></MSM></WLANProfile>]]></Data>
</Item>
</Add>
</Atomic>
```
### Query network profiles ### Query network profiles
The following example shows how to query Wi-Fi profiles installed on an MDM server. The following example shows how to query Wi-Fi profiles installed on an MDM server.
@ -825,7 +869,7 @@ The following example shows the response.
### Remove a network ### Remove a network
The following example shows how to remove a network with SSID 'MyNetwork' and no proxy. Removing all network authentication types is done in this same manner. The following example shows how to remove a network with SSID `MyNetwork` and no proxy. Removing all network authentication types is done in this same manner.
```xml ```xml
<Atomic> <Atomic>
@ -840,32 +884,12 @@ The following example shows how to remove a network with SSID 'MyNetwork' and no
</Delete> </Delete>
</Atomic> </Atomic>
``` ```
### Add a network and certification authority for a server certificate
The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork' and root CA validation for server certificate.
```xml
<Atomic>
<CmdID>300</CmdID>
<Add>
<CmdID>301</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data><?xml version="1.0"?><WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><name>MyNetwork</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><OneX xmlns="http://www.microsoft.com/networking/OneX/v1"><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames><TrustedRootCA> InsertCertThumbPrintHere </TrustedRootCA></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile> </Data>
</Item>
</Add>
</Atomic>
```
<!-- WiFi-CspMoreInfo-End --> <!-- WiFi-CspMoreInfo-End -->
<!-- WiFi-End --> <!-- WiFi-End -->
## Related articles ## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md) * [Configuration service provider reference](configuration-service-provider-reference.md)
* [Extensible Authentication Protocol (EAP) for network access](/windows-server/networking/technologies/extensible-authentication-protocol/network-access)
* [Configure EAP profiles and settings in Windows](/windows-server/networking/technologies/extensible-authentication-protocol/configure-eap-profiles)