Planning WiFi network profiles by scenario is not just a good practice, it's the safest and most convenient way to connect employees, guests, IoT devices, or remote locations without headaches. When you define well-separated profiles, you automate the connection, reduce errors, and control access. depending on who connects, when, and from where.
In addition to the typical SSIDs, today management tools (Configuration Manager, Intune), advanced Wi-Fi 7 features such as MLO, VLAN segmentation with CAP/AC, SDN networks in ExpertWiFi routers, and automations at the user's workstation are also involved. The goal is for the user to see the correct network in their list and connect seamlessly, while IT manages security, bandwidth, and compliance..
Valid for Configuration Manager in its current branch. It can also be applied to local MDM administration on mobile devices, combining it with certificate profiles for server validation and client authentication..
What are WiFi scenario profiles and why are you interested in them?
A Wi-Fi profile encapsulates SSID, security, encryption, connection options, and, if applicable, certificates or proxy. By deploying a profile for each use case (employees, guests, IoT, temporary project Wi-Fi, etc.), you simplify the user's life and secure the network..
In Windows or managed mobility environments, you can push these profiles from Configuration Manager or Intune. The practical result is that the device recognizes the network and connects automatically when it is within range., without manual steps or calls to support.
Create and distribute profiles with Configuration Manager
From the console, go to Assets and compliance > Compliance settings > Enterprise resource access > WiFi profiles. Start the Create Wi-Fi Profile wizard and define a unique name and a clear descriptionIf you already have a file with an existing profile, you can import it to speed things up.
In the General phase, in addition to the name, you can reuse another profile and choose the severity of non-compliance for reports if the application fails. The usual levels include None, Information, Warning, Critical, or Critical with event (This last one also records an event in the Windows application log).
On the Wi-Fi Profile page, set the network's display name, the exact SSID, and behaviors such as automatically connecting, simultaneously searching for other networks, or allowing connection if the SSID is not broadcast. Controlling these boxes impacts the user experience when multiple access points are around.
In Security Settings, choose the security type (or Open if applicable), the encryption, and the EAP type where applicable. You can click Configure to adjust EAP properties and decide whether the device remembers credentials at each loginpreventing the user from typing the password each time.
The advanced options page adapts to what you chose in security, for example, authentication, single sign-on, or specific modes. If your network uses a proxy, add the proxy settings in its dedicated section. so that navigation works without user intervention.
Finally, select the compatible platforms and complete the wizard. Configuration Manager can apply the profile to different operating system versions and even to mobile devices using local MDM, reinforcing mixed PC and smartphone scenarios.
WiFi profiles by PSK and EAP with Intune (XML and OMA-URI)
With Microsoft Intune you can create a Wi-Fi profile using a Custom policy and XML, for both Android (including work profile) and Windows, with EAP support when needed. The workflow consists of preparing the XML, inserting it into an OMA-URI configuration, and assigning it to the appropriate groups..
Before starting
- It will be easier for you to export the XML syntax from a computer that is already connected to that network. (below you have how to do it with netsh).
- You can include multiple networks by adding more OMA-URI configurations. If you need it on iOS/iPadOS, create the profile using Apple Configurator on your Mac..
- In PSK, use 64 hex digits or an 8-63 printable ASCII passphrase; certain characters such as the asterisk (*) are not supported.
Creating the directive in Intune
Enter the Intune Admin Center, go to Devices > Manage devices > Settings > Create > New policy. Choose the platform, select Profile Type = Custom, enter name and description, and proceed.
In Configuration Options, add an OMA-URI entry with the fields: name, description (optional), and OMA-URI according to platform. For Android use ./Vendor/MSFT/WiFi/Profile/{SSID}/Settings and for Windows ./Vendor/MSFT/WiFi/Profile/{SSID}/WlanXmlIf the SSID contains spaces, replace them with %20.
Define Data Type = String and paste the XML. Then you can tag by scope, assign to users or devices, review, and createDuring the next synchronization, the profile will appear on the device and you will be able to connect automatically.
Example of a Wi-Fi profile (PSK)
Note that the label <protected> must be false to avoid waiting for encrypted passwords, and that in Windows the hexadecimal value of SSID in <hex> It must correspond to the plain name; in certain cases Windows might throw a false correction error, even if the profile is applied.
Example XML template for PSK <!-- <hex>53534944</hex> es el valor hexadecimal de <name>SSID</name>. <name>PerfilVisible</name> es el nombre que ven los usuarios. <nonBroadcast>true/false</nonBroadcast> indica si el SSID se difunde. <authentication>WPA2PSK (ejemplo)</authentication> y <encryption>AES (ejemplo)</encryption>. <protected>false</protected> no lo cambies. <keyMaterial>password</keyMaterial> es la clave en claro. --><WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>NombrePerfil</name><SSIDConfig><SSID><hex>53534944</hex><name>NombreSSID</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>auto</connectionMode><autoSwitch>false</autoSwitch><MSM><security><authEncryption><authentication>WPA2PSK</authentication><encryption>AES</encryption><useOneX>false</useOneX></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>password</keyMaterial></sharedKey><keyIndex>0</keyIndex></security></MSM></WLANProfile>
Example of a profile based on EAP
This format shows OneX with EAP-TLS authentication and configurable validation. Adjust the certificate, server validation, and EKU parameters to your CA and policy.
XML template for EAP-TLS <WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>testcert</name><SSIDConfig><SSID><hex>7465737463657274</hex><name>testcert</name></SSID><nonBroadcast>true</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>auto</connectionMode><autoSwitch>false</autoSwitch><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX><FIPSMode xmlns="http://www.microsoft.com/networking/WLAN/profile/v2">false</FIPSMode></authEncryption><PMKCacheMode>disabled</PMKCacheMode><OneX xmlns="http://www.microsoft.com/networking/OneX/v1"><cacheUserData>false</cacheUserData><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>13</Type><EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"><CredentialsSource><CertificateStore><SimpleCertSelection>true</SimpleCertSelection></CertificateStore></CredentialsSource><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><DifferentUsername>false</DifferentUsername><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName><TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"><FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"><AllPurposeEnabled>true</AllPurposeEnabled><CAHashList Enabled="true"><IssuerHash>75 f5 06 9c a4 12 0e 9b db bc a1 d9 9d d0 f0 75 fa 3b b8 78</IssuerHash></CAHashList><EKUMapping><EKUMap><EKUName>Client Authentication</EKUName><EKUOID>1.3.6.1.5.5.7.3.2</EKUOID></EKUMap></EKUMapping><ClientAuthEKUList Enabled="true"/><AnyPurposeEKUList Enabled="false"><EKUMapInList><EKUName>Client Authentication</EKUName></EKUMapInList></AnyPurposeEKUList></FilteringInfo></TLSExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile>
Export the XML from an existing connection
Create a folder like c:\WiFi, open CMD as administrator and run netsh wlan show profiles to list profiles. Export with netsh wlan export profile name="TuPerfil" folder=c:\WiFiIf the profile includes PSK, add key=clear to get the clear key.
If the profile name in <name> It has spaces; when assigning it, you might see an error. 0x87d101f4 Syncml(500). The profile is created, but it doesn't appear as a managed policy; remove the spaces from the name to avoid this..
Deployment recommendations
- Confirm that the device connects to the target network manually before pushing the profile. This is how you detect coverage or credential problems in time..
- When rotating keys, plan for an off-hours window. Ensure an alternative internet connection (guest or mobile data) so the team can receive the new directive..
- Notify users that there may be a brief outage and that they should reconnect if necessary. Communication reduces unnecessary tickets.
MLO in Wi-Fi 7: STR, EMLSR and MLO profiles on ASUS routers
Wi-Fi 7's Multi-Link Operation (MLO) allows multiple connections to be maintained simultaneously between client and AP. There are two key modes: STR (simultaneous transmit and receive) and EMLSR (enhanced multi-link on a single radio)ASUS supports both; in practice, many mobile phones still combine 2,4 GHz + 5 GHz.
Activate MLO from the web interface
Connect to the router and enter the web GUI (LAN IP or asusrouter dot com). Only one set of MLO networks can be active at a time.If you activate MLO on the main network, you will not be able to use a separate MLO SSID at the same time.
- Option A: Enable MLO on the main networkGo to Network > Primary Network Profile > Advanced Settings and enable Multi-Link Operation (MLO). Alternatively, under General, enable MLO Fronthaul for Clients. Apply changes.
- Option B: Create a dedicated MLO profileIn Network > Guest Network (or Guest Pro or Smart home Master) tap Add network > Multi-Link Operation (MLO), complete the settings and Apply. It synchronizes with the Wireless > MLO profile listYou can create up to 2 simultaneous MLO networks.
- Option C: Manage MLO profilesIn Wireless > MLO, enable/disable MLO. Enabling MLO also enables AiMesh MLO backhaul, and you can add up to 2 MLO networks to the profile list..
Activate MLO from the ASUS Router app
Go to Settings > Network > Primary network profile. Activate MLO from Advanced Settings or from General in MLO Fronthaul for Customers, and apply. Alternatively, create an MLO network in Settings > Network > Guest Network (or Guest Pro or Smart home Master) > Multi-Link Operation and fill in the details.
AiMesh Notes with Wi-Fi 7
If MLO is active on the primary AiMesh router, Nodes without MLO will not advertise 6 GHzFor best performance with multiple ASUS routers, use the one with the highest specifications as the primary router.
MLO backhaul on AiMesh is limited: Only the first node can use it, and only within the same model.If you adjust the backhaul band, go to Wireless > MLO > Backhaul Band; changing it will restart all routers on the system.
FAQ MLO and Wi-Fi 7
Wi-Fi 7 mode can be turned on/off from the main network profile. In encryption, Wi-Fi 7 combines bands with AES + GCMP-256AES is a well-established symmetric standard, and GCMP-256 increases the key length from 128 to 256 bits compared to Wi-Fi 6/6E/7 with GCMP-128, thus hardening decryption.
Note on compatibility: some older devices will not work with GCMP-256. It uses a dedicated IoT network at 2,4 GHz + 5 GHz with WPA2-Personal AESUseful tip: Keep the IoT network SSID/password the same as you are using now and create a new SSID for Wi-Fi 7.
If you need firmware, utilities, or manuals, Download them from the ASUS Download Center of the corresponding product.
SDN on ASUS ExpertWiFi routers: on-the-fly scenario-based networking
The self-defined network (SDN) in ExpertWiFi allows up to five independent SSIDs to separate and prioritize devices: employees, captive marketing portal, guests, scheduled network, IoT, VPN, scenario explorer, and custom networksWhen creating a Wi-Fi SDN, the associated VLAN is generated simultaneously.
Prepare beforehand: SDN works with ExpertWiFi routers, Update to the latest firmware version and, if you're going to use the app, install it and make sure it's up to date.The QIS quick setup and other guides are in the manufacturer's documentation.
Configure SDN from the app
Open the ExpertWiFi app, tap SDN and choose a profile, for example Guest Network. Define SSID and password, decide if it will be a one-time access with a time window or if you will schedule times.And it applies. You'll see, for example, that the network remains available for two hours.
Configure SDN from the web interface
Connect to the router via cable or Wi-Fi and access via the LAN IP or expertwifi.net. Log in and go to User-Defined Network to create a profile according to your needsIf you forgot your credentials, perform a factory reset and create your account again.
In general settings define SSID/password (recommended, no open networks) and the schedule. After applying, you'll see a clock icon showing the remaining time for the guest network. You can delete the profile or create more using the add button..
In advanced settings you can choose the applicable Wi-Fi band, AiMesh synchronization, bandwidth limiter, allow or block intranet access, assign DNS servers other than those from the ISP or activate VPN by profile (client or server).
If the devices connect but do not browse, Check coverage and mitigate interferenceAnd remember the differences between 2,4 and 5 GHz. For drivers and firmware, use the ASUS Download Center.
VLAN by SSID with TP-Link CAP/AC: Step-by-Step Guide
Dividing the enterprise network by departments or uses requires isolating the broadcast domain. With CAP/AC and an L3 switch you can map SSIDs to VLANs (e.g., R&D, Marketing, Product), maintain separate management, and provide internet access via NAT at the gateway..
Step 1: Multi-network NAT and static routing on the edge router
Enable Multi-Nets NAT in Advanced > NAT for each subnet that needs egress, leaving the interface as LAN. Then create static routes in Advanced > Routing > Static Route: destination = subnet network, next hop = L3 switch IP, LAN interface.
Step 2: VLANs and ports on the switch
In VLAN > 802.1Q VLAN > Port Config, put the ports that go to the CAPs in trunk mode (for example, 1/0/37 and 1/0/39). The trunk carries multiple VLANs; the remaining ports can remain in access mode..
In VLAN > 802.1Q VLAN > VLAN Config, create the VLANs (e.g., VLAN100 and VLAN200) and add the ports to the CAPs as members. For the management VLAN (e.g., VLAN 10), include the AC port (1/0/15), the CAP ports (1/0/37, 1/0/39), and the management PC port (1/0/6), and set its PVID to 10.Thus, management becomes isolated.
Step 3: L3 Interface and DHCP on the switch
In Routing > Interface > Interface Config, create the L3 interface for each VLAN with a static IP address. Enable the DHCP server per subnet in Routing > DHCP Server > Pool indicating network, mask, gateway and DNS.
Important: the switch does not proxy DNS. In DNS, point to the IP address of the outgoing router or to public servers like 8.8.8.8DHCP is disabled by default: remember to enable it or clients will not obtain an IP address.
Step 4: Default route on the switch
In Routing > Static Routing > IPv4 Static Routing Config add a route 0.0.0.0/0 to the router's IP (e.g. 192.168.0.1). This ensures that unknown traffic leaves through the gateway..
Step 5: SSID and VLAN binding on the controller
With the AC managing the CAPs, go to Wireless > Wireless Service, create the SSIDs and link them to the radio and VLAN (e.g., SSID v100 to VLAN100). In Network > Interface, assign an IP address to the AC (e.g., 10.10.10.253), and in Network > DHCP Server, configure the AC's DHCP server for AP only if desired..
Testing with two SSIDs (v100 and v200), You'll see clients with IPs like 172.16.10.3 or 172.16.20.3 and the AC managing CAP on 10.10.10.0/24This validates the segmentation and internet access.
AutoSwitch: Automatically activate WiFi profiles on the device
From the user's perspective, automating profile changes based on conditions avoids clicks and oversights. AutoSwitch lets you define conditions per profile (one or more) and decide whether all must be met or if one is enoughIf several match, the profiles at the top of the list are sent.
The AutoSwitch panel helps you understand what's happening in real time: Green conditions met, red conditions not met, and gray conditions irrelevant when another profile has already successfully activatedYou can also define global preferences such as notifications.
The default activation displays a countdown warning (cancellable). Optionally, use native Windows notifications or enable background notifications without messages; the tray icon will animate and change color to let you know.To save resources, the tool does not compare your current configuration with the profile, so manual changes are not detected as discrepancies.
Policies by schedule, QoS and firewall by profiles (WHG controllers)
In companies and organizations with defined schedules, it is useful to apply policies by day and hour to distinguish staff and employees with different access. The Director role will not have the same freedoms as an office profile, and their access windows also vary.
4ipnet WHG controllers' QoS profiles allow you to limit bandwidth per profile and per user, both upload and download. In addition, it classifies traffic to prioritize critical services (e.g., medical equipment in hospitals) over visits.
With firewall profiles you can block ports or applications (SSH, eMule, etc.) and site lists, and even Apply rules in two layers: by calendar and by conditionto allow/block directions according to strip.
For special cases, it includes specific route profiles that replace default routes and allow, for example, force traffic to servers through a second WAN port or between service zonesThe platform offers a wide range of options. Business contact: 902 506 100 info@wifisafe.com for inquiries about professional wireless products and solutions.
Models and availability, firmware and notes
The following models appear in documentation and reference guides of the business ecosystem and controllers/managers: TL-SG2008P , TL-SG3452X , SG5452XMPP , AP9635 , TL-SG2218P , TL-SG3452XP , AP9670 , EAP245( V3 V4 ) , EAP230-Wall , TL-SG2210P( V3 V3.20 V4 V5 ) , SG2210MP , TL-SX3008F , EAP115( V4 V4.20 V5 ) , TL-SL2428P( V4 V4.20 V5 V6 ) , TL-SX3016F , S4500-8G , SG2218 , SG3428 , Omada Software Controller( V4 V5), TL-SG3452P , EAP725-Outdoor , TL-SG3428X , EAP650-Outdoor , EAP772-Outdoor( V1 ) , SL2428P , S4500-8GHP2F , EAP653 UR , EAP660 HD , AP9665 , S4500-16G2F , TL-SG3428XF , EAP673 , EAP110( V4 V5 ) , EAP670 , EAP235-Wall , TL-SG2210MP , SG3210 , SG3452 , SG3452X , TL-SG3210XHP-M2 , S5500-24GP4XF , EAP225(V3 V3.20 V4 V5 ) , TL-SG2428P , EAP610-Outdoor , EAP115-Wall , SG3428XF , SG2428LP , AP9778 , EAP225-Wall( V2 ) , EAP225-Outdoor , EAP223 , SX3008F , SG3428MP, SG3428X, EAP725-Wall, AP9650, SG3452P, EAP265 HD, SX3016F, SG2218P, EAP620 HD, SG2428P, SG2008P, SG3452XP, EAP613, EAP610 , EAP653 , TL-SG3428 TL-SG2218 , TL-SG3210( V3 ) , EAP690E HD , TL-SX3206HPP , EAP623-Outdoor HD , SG3428XMP , EAP110-Outdoor( V3 V4 ) , TL-SG3428XMP , SX3206HPP.
Please note that recent updates may have expanded access to the features described. Always check your product's support page, select its hardware version, and review the technical specifications or firmware section for improvements.Availability varies by region.
Finally, encryption in Wi-Fi 7 environments with AES + GCMP-256 strengthens security against GCMP-128. Remember to create a separate IoT network when you have older devices that do not support GCMP-256maintaining compatibility and order.
All of the above allows you to design WiFi profiles for any scenario without leaving any loose ends: from the console (Configuration Manager or Intune) to the real world (MLO, VLAN, SDN, QoS, and automations), with clear procedures, compatibility notes, firmware downloads, and security controls. A well-thought-out configuration translates into faster connections, fewer incidents, and a network that adapts to your business. Share this tutorial and help other users create WiFi profiles.