Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. <nav type="pills" justified="false"> * [[:user_manuals|Back to Documentation]] * [[:technical:pp-android|Windows and Hotspot 2.0/Passpoint]] </nav> ----- ====== Windows and Hotspot 2.0/Passpoint ====== ===== Introduction ===== * This page will discuss the provisioning of Passpoint credentials to Windows devices. * Windows are a bit more involved compared to Android and Apple when it comes to connecting to a Hotspot2.0/Passpoint network. * The basics stays the same though. * We have: * An XML file that contains items like the RCOI and credentials to connect. * An optional embedded CA Certificate. * The installation of the Passpoint profile however required you to use the command line interface (This is the little bit more involved part) * Lets look at an Example XML file and discuss the important items in it ------- ===== Windows Example ===== <file xml wenley-peap.xml> <?xml version="1.0"?> <CarrierProvisioning xmlns="http://www.microsoft.com/networking/CarrierControl/v1"> <WLANProfiles> <WLANProfile xmlns="http://www.microsoft.com/networking/CarrierControl/WLAN/v1"> <name>Wenley-HiFi-1.0.1</name> <SSIDConfig> <SSID> <name>_Passpoint</name> </SSID> </SSIDConfig> <Hotspot2> <DomainName>radiusdesk.com</DomainName> <RoamingConsortium> <OUI>ABCD1234</OUI> </RoamingConsortium> </Hotspot2> <MSM> <security> <authEncryption> <authentication>WPA2</authentication> <encryption>AES</encryption> <useOneX>true</useOneX> </authEncryption> <PMKCacheMode>enabled</PMKCacheMode> <PMKCacheTTL>720</PMKCacheTTL> <PMKCacheSize>128</PMKCacheSize> <preAuthMode>disabled</preAuthMode> <OneX xmlns="http://www.microsoft.com/networking/OneX/v1"> <authMode>user</authMode> <EAPConfig> <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">21</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">311</AuthorId> </EapMethod> <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsConnectionPropertiesV1"> <ServerValidation> <ServerNames>uam.mesh-manager.com;radiusdesk.com</ServerNames> <TrustedRootCAHash>D1EB23A46D17D68FD92564C2F1F1601764D8E349</TrustedRootCAHash> <DisablePrompt>false</DisablePrompt> </ServerValidation> <Phase2Authentication> <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">26</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </EapMethod> <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>26</Type> <EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"> <UseWinLogonCredentials>false</UseWinLogonCredentials> </EapType> </Eap> </Config> </EapHostConfig> </Phase2Authentication> <Phase1Identity> <IdentityPrivacy>true</IdentityPrivacy> <AnonymousIdentity>anonymous@hotspottwo</AnonymousIdentity> </Phase1Identity> </EapTtls> </Config> </EapHostConfig> </EAPConfig> </OneX> <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials"> <EapMethod> <eapCommon:Type>21</eapCommon:Type> <eapCommon:AuthorId>311</eapCommon:AuthorId> </EapMethod> <Credentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials"> <EapTtls xmlns="http://www.microsoft.com/provisioning/EapTtlsUserPropertiesV1"> <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials" xmlns:eapCommon="http://www.microsoft.com/provisioning/EapCommon" xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapMethodUserCredentials"> <EapMethod> <eapCommon:Type>26</eapCommon:Type> <eapCommon:AuthorId>0</eapCommon:AuthorId> </EapMethod> <Credentials xmlns:baseEap="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1" xmlns:MsChapV2="http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1"> <baseEap:Eap> <baseEap:Type>26</baseEap:Type> <MsChapV2:EapType> <MsChapV2:Username>koos@hotspottwo</MsChapV2:Username> <MsChapV2:Password>testing123</MsChapV2:Password> <MsChapV2:LogonDomain/> </MsChapV2:EapType> </baseEap:Eap> </Credentials> </EapHostUserCredentials> </EapTtls> </Credentials> </EapHostUserCredentials> </security> </MSM> </WLANProfile> </WLANProfiles> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue></DigestValue> </Reference> </SignedInfo> <SignatureValue></SignatureValue> <KeyInfo> <X509Data> <X509Certificate></X509Certificate> </X509Data> </KeyInfo> </Signature> </CarrierProvisioning> </file> ------ ==== Certificate handling ==== * Microsoft handles certificates in a more complicated way. * You have to install the CA and then reference the **SHA-1 Thumbprint** of the CA inside the XML file. ------ ==== Obtaining the SHA-1 Thumbprint ==== * To obtain the SHA-1 thumbprint of the CA you can use the following command (assuming the CA file is called ca.pem) <code bash> openssl x509 -in ca.pem -noout -fingerprint -sha1 #Outputs the following: SHA1 Fingerprint=D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49 #Then remove the colons and use it uppercase (40 Characters): D1EB23A46D17D68FD92564C2F1F1601764D8E349 </code> ---------- ==== PEAP vs EAP/TTLS/ ==== * You will notice that we use PEAP instead of EAP/TTLS for authentication. * It is recommended that you use PEAP on Windows since support for EAP/TTLS/<whatever> might not be complete. ------- ==== Installing the certificate and profile ==== * Install the CA on Windows using the **certutil** from the command line: <code bash> certutil -addstore root ca.pem </code> * Install the profile also from the command line: <code bash> netsh wlan add profile filename="wenley-peap.xml" user=all </code> * Check the available networks with: <code bash> netsh wlan show networks </code> technical/pp-windows.txt Last modified: 2025/07/23 09:31by system