Bewerken

Delen via


Configure EAP profiles and settings in Windows

This article presents information about commonly used different ways to configure Extensible Authentication Protocol (EAP) settings. Specifically, it describes configuring EAP profiles using XML and command line tools. It also shows how to configure EAP settings and profiles using various UI in Windows.

XML Profiles

As outlined in XML profiles for EAP, connection profiles for Wi-Fi, Ethernet, and VPN are XML files that contain the configuration options for that connection. These profiles can be imported/exported and manually edited. When profiles are created or edited in UI (as detailed in the following sections), Windows internally sets the corresponding XML configuration options. As a result, you can use the UI to create a profile, and then export it to see the XML configuration options that were set.

Note

Not every configuration option is exposed in the UI. It may be required, depending on your scenario, to manually edit the XML profile to set the desired configuration options, then import the updated profile for deployment.

For example, when using Mobile Device Management (MDM) policies (such as Wi-Fi CSP), you need to provision the full XML profile.

An example of a Wi-Fi profile can be found in this sample.

Import and export profiles with command line tools

Importing and exporting profiles using a command line tool can be helpful in many scenarios. For example, when configuring MDM or Group Policy isn't possible, manually or scripting these commands can be the quickest option. It can also be used to export profiles after configuring them through other UI.

netsh

netsh is a command line tool that can be used to view and configure various network related settings. For more information, see Network shell (netsh). netsh can be called from both cmd and powershell. The following table lists some common netsh commands and examples for importing and exporting profiles. /? can be used with any netsh command to get more information about the command, including syntax.

Command Description
netsh wlan show profiles Shows all Wi-Fi profiles, including the profile name.
netsh wlan show profiles name="ProfileName" Shows detailed information about a specific Wi-Fi profile
netsh wlan export profile name="ProfileName" folder="C:\Profiles" Exports a Wi-Fi profile to the specified folder. The folder must exist.
netsh wlan add profile filename="C:\Profiles\ProfileName.xml" Adds a Wi-Fi profile from the specified file.
netsh wlan delete profile name="ProfileName" Deletes a Wi-Fi profile.

PowerShell

PowerShell is a command line shell and scripting language that can be used to view and configure various settings. It includes various commands (cmdlets) that can be used to import and export connection profiles. The Get-Help cmdlet can be used with any cmdlet to get more information about that cmdlet, including syntax.

For detailed information about these cmdlets, see Get-VpnConnection, Set-VpnConnection, and Add-VpnConnection.

Command Description
Get-VpnConnection Shows all VPN profiles, including the profile name and other details.
Get-VpnConnection -Name "ProfileName" Shows summary information about a specific VPN profile.
(Get-VpnConnection -Name "ProfileName").EapConfigXmlStream.InnerXml \| Out-File -FilePath "C:\Profiles\vpn_eap.xml" Exports the EAP configuration for a specific VPN profile to a file.
Set-VpnConnection -Name "ProfileName" -EapConfigXmlStream (Get-Content -Path "C:\Profiles\vpn_eap.xml") Imports the EAP configuration from a file and updates the specified VPN profile with it.

Settings app (Desktop Windows)

On the Windows desktop client, many common Wi-Fi, Ethernet, and VPN settings can be configured through the Settings app. The following screenshots show the Windows 11 Settings app, but the UI is similar in Windows 10. However, certain features and options may only be available in Windows 11.

Windows 10 and 11 have support for adding Wi-Fi profiles with a specific configuration (including 802.1X) in the Settings app. This setting can be found in the Settings app under Network & internet > Wi-Fi > Manage known networks > Add network: Screenshot of Network & internet page on Windows 11 settings app. Screenshot of Wi-Fi page on Windows 11 settings app. Screenshot of Manage known networks page on Windows 11 settings app. Screenshot of Add a new network dialog in Windows 11 settings app.

This dialog allows you to configure the SSID, security type, and other settings for the Wi-Fi profile. When a security type supporting EAP is selected, such as WPA3-Enterprise AES, the dialog shows an option to configure the EAP settings: Screenshot of Add a new network dialog, showing WPA3-Enterprise and EAP-TLS, on Windows 11 settings app.

Tip

Once the network is added, it is not possible to edit the EAP settings through the Settings app. To edit the EAP settings, either:

  • delete the profile and re-add it with the correct settings, or
  • use the netsh commands described in netsh to manually edit the profile.

Group Policy Editor (Desktop and Server)

Group Policy is an infrastructure that lets you manage configurations for users and computers. Using Group Policy, you can configure Wi-Fi, Ethernet, and VPN settings based on rules you define. The following screenshots show the Windows Server 2022 Group Policy Management Editor, but the UI is similar for Desktop Windows' Control Panel and Local Group Policy Editor. For more information on the options shown in the following screenshots, see Extensible Authentication Protocol (EAP) for network access.

Group Policy options for Wi-Fi are located under Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies: Screenshot showing Wireless Network (IEEE 802.11) Policies option in Group Policy Management Editor.

Right-clicking on Wireless Network (IEEE 802.11) Policies and selecting Create A New Wireless Network Policy for Windows Vista and Later Releases opens the New Wireless Network Policy Properties dialog: Screenshot showing Create A New Wireless Network Policy for Windows Vista and Later Releases option in Group Policy Management Editor. Screenshot showing the New Wireless Network Policy Properties dialog.

This dialog allows you to set the policy name, a description, and Add/Edit/Remove profiles, as well as Import and Export XML Profiles.

Clicking Add and selecting Infrastructure opens the New Profile properties dialog: Screenshot showing the New Profile properties dialog.

This dialog allows you to set the Profile Name and add the SSIDs this profile applies to.

Selecting Security allows you to configure the EAP settings for the profile: Screenshot showing the Security tab of the New Profile properties dialog.

This dialog allows you to configure the security type and other settings for the Wi-Fi profile. When an Authentication type supporting 802.1X authentication is selected (such as WPA2-Enterprise), the 802.1X security options are visible. See EAP methods for details on each network authentication method.

When the Advanced... button is selected, the Advanced Security Settings dialog is shown: Screenshot showing the Advanced security settings dialog for Wi-Fi.

This dialog allows you to set some advanced 802.1X settings and Single Sign On options.

Tip

Not every setting is available for configuration in the Group Policy Editor. However, this can be worked around by importing an XML profile with the desired settings. For more information, see XML Profiles.

EAP methods

For an overview on the different EAP methods, see Authentication methods.

Microsoft: Smart Card or other certificate

For more information on this dialog, see EAP-TLS. Screenshot showing the Smart Card or other certificate Properties dialog.

Selecting Advanced opens the Configure Certificate Selection dialog: Screenshot showing the Configure Certificate Selection dialog.

Microsoft: Protected EAP (PEAP)

For more information on this dialog, see PEAP. Screenshot showing the Protected EAP Properties dialog.

Selecting Configure... when Secured password (EAP-MSCHAP v2) is selected opens the EAP MSCHAPv2 dialog: Screenshot showing the EAP MSCHAPv2 Properties dialog.

Microsoft: EAP-SIM

For more information on this dialog, see EAP-SIM. Screenshot showing the EAP-SIM Properties dialog.

Microsoft: EAP-TTLS

For more information on this dialog, see EAP-TTLS. Screenshot showing the TTLS Properties dialog.

Microsoft: EAP-AKA

For more information on this dialog, see EAP-AKA. Screenshot showing the EAP-AKA Properties dialog.

Microsoft: EAP-AKA'

For more information on this dialog, see EAP-AKA'. Screenshot showing the EAP-AKA' Properties dialog.

Microsoft: EAP-TEAP

For more information on this dialog, see TEAP. Screenshot showing the TEAP Properties dialog.

Additional resources