Windows and Hotspot 2.0/Passpoint

Introduction

  • This page will discuss the provisioning of Passpoint credentials to Windows devices.
  • Windows are a bit more involved compared to Android and Apple when it comes to connecting to a Hotspot2.0/Passpoint network.
  • The basics stays the same though.
  • We have:
    • An XML file that contains items like the RCOI and credentials to connect.
    • An optional embedded CA Certificate.
  • The installation of the Passpoint profile however required you to use the command line interface (This is the little bit more involved part)
  • Lets look at an Example XML file and discuss the important items in it

Windows Example

wenley-peap.xml
<?xml version="1.0"?>
<CarrierProvisioning
        xmlns="http://www.microsoft.com/networking/CarrierControl/v1">
    <WLANProfiles>
        <WLANProfile xmlns="http://www.microsoft.com/networking/CarrierControl/WLAN/v1">
            <name>Wenley-HiFi-1.0.1</name>
            <SSIDConfig>
                <SSID>
                    <name>_Passpoint</name>
                </SSID>
            </SSIDConfig>
            <Hotspot2>
                <DomainName>radiusdesk.com</DomainName>
                <RoamingConsortium>
                    <OUI>ABCD1234</OUI>
                </RoamingConsortium>
            </Hotspot2>
            <MSM>
                <security>
                    <authEncryption>
                        <authentication>WPA2</authentication>
                        <encryption>AES</encryption>
                        <useOneX>true</useOneX>
                    </authEncryption>
                    <PMKCacheMode>enabled</PMKCacheMode>
                    <PMKCacheTTL>720</PMKCacheTTL>
                    <PMKCacheSize>128</PMKCacheSize>
                    <preAuthMode>disabled</preAuthMode>
                    <OneX xmlns="http://www.microsoft.com/networking/OneX/v1">
                        <authMode>user</authMode>
                        <EAPConfig>
                            <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                                <EapMethod>
                                    <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">21</Type>
                                    <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
                                    <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
                                    <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">311</AuthorId>
                                </EapMethod>
                                <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                                    <EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsConnectionPropertiesV1">
                                        <ServerValidation>
                                            <ServerNames>uam.mesh-manager.com;radiusdesk.com</ServerNames>
                                            <TrustedRootCAHash>D1EB23A46D17D68FD92564C2F1F1601764D8E349</TrustedRootCAHash>
                                            <DisablePrompt>false</DisablePrompt>
                                        </ServerValidation>
                                        <Phase2Authentication>
                                            <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                                                <EapMethod>
                                                    <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">26</Type>
                                                    <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
                                                    <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
                                                    <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
                                                </EapMethod>
                                                <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
                                                    <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
                                                        <Type>26</Type>
                                                        <EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1">
                                                            <UseWinLogonCredentials>false</UseWinLogonCredentials>
                                                        </EapType>
                                                    </Eap>
                                                </Config>
                                            </EapHostConfig>
                                        </Phase2Authentication>
                                        <Phase1Identity>
                                            <IdentityPrivacy>true</IdentityPrivacy>
                                            <AnonymousIdentity>anonymous@hotspottwo</AnonymousIdentity>
                                        </Phase1Identity>
                                    </EapTtls>
                                </Config>
                            </EapHostConfig>
                        </EAPConfig>
                    </OneX>
                    <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
                        <EapMethod>
                            <eapCommon:Type>21</eapCommon:Type>
                            <eapCommon:AuthorId>311</eapCommon:AuthorId>
                        </EapMethod>
                        <Credentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials">
                            <EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsUserPropertiesV1">
                                <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials">
                                    <EapMethod>
                                        <eapCommon:Type>26</eapCommon:Type>
                                        <eapCommon:AuthorId>0</eapCommon:AuthorId>
                                    </EapMethod>
                                    <Credentials
                                            xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1"
                                            xmlns:MsChapV2="http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1">
                                        <baseEap:Eap>
                                            <baseEap:Type>26</baseEap:Type>
                                            <MsChapV2:EapType>
                                                <MsChapV2:Username>koos@hotspottwo</MsChapV2:Username>
                                                <MsChapV2:Password>testing123</MsChapV2:Password>
                                                <MsChapV2:LogonDomain/>
                                            </MsChapV2:EapType>
                                        </baseEap:Eap>
                                    </Credentials>
                                </EapHostUserCredentials>
                            </EapTtls>
                        </Credentials>
                    </EapHostUserCredentials>
                </security>
            </MSM>
        </WLANProfile>
    </WLANProfiles>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <Reference URI="">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <DigestValue></DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue></SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate></X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
</CarrierProvisioning>

Certificate handling

  • Microsoft handles certificates in a more complicated way.
  • You have to install the CA and then reference the SHA-1 Thumbprint of the CA inside the XML file.

Obtaining the SHA-1 Thumbprint

  • To obtain the SHA-1 thumbprint of the CA you can use the following command (assuming the CA file is called ca.pem)
openssl x509 -in ca.pem -noout -fingerprint -sha1
#Outputs the following:
SHA1 Fingerprint=D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
#Then remove the colons and use it uppercase (40 Characters):
D1EB23A46D17D68FD92564C2F1F1601764D8E349

PEAP vs EAP/TTLS/

  • You will notice that we use PEAP instead of EAP/TTLS for authentication.
  • It is recommended that you use PEAP on Windows since support for EAP/TTLS/<whatever> might not be complete.

Installing the certificate and profile

  • Install the CA on Windows using the certutil from the command line:
certutil -addstore root ca.pem
  • Install the profile also from the command line:
netsh wlan add profile filename="wenley-peap.xml" user=all
  • Check the available networks with:
netsh wlan show networks
  • technical/pp-windows.txt
  • Last modified: 2025/07/23 09:31
  • by system