Authentication Protocol Initialization

When creating an entry for a particular connection, you must select an authentication protocol to use for that connection. The selected authentication protocol may require configuration. If so, the Dial-Up Networking UI displays a configuration UI by calling the RasEapInvokeConfigUI function. The Dial-Up Networking UI stores the configuration information returned by RasEapInvokeConfigUI in the entry. The setup program for the authentication protocol may also store default configuration**information in the registry. For more information, see EAP Installation.

The configuration information stored in the entry should be generic to all users on the client computer. Information specific to a particular user or users should not be stored in the entry. The authentication protocol should obtain user-specific information through the identity function interface or interactive UI. The authentication protocol can store this information in the registry by passing it to RAS in the pEapOutput parameter of RasEapMakeMessage.

When the client attempts to establish the connection, RAS obtains identity information for the user. If the RAS_EAP_VALUENAME_INVOKE_NAMEDLG value is present in the registry for this authentication protocol, and this value is set to 0, RAS calls RasEapGetIdentity. This function typically displays a UI that allows the identity information to be of a type specific to the authentication protocol; for example, a certificate or numeric identifier.

Once RAS has obtained the identity information for the user, RAS calls the authentication protocol's implementation of RasEapBegin. This call allows the protocol to allocate and initialize a work buffer that RAS passes on subsequent calls to RasEapMakeMessage and RasEapEnd. In RasEapBegin, RAS also passes a PPP_EAP_INPUT structure that contains pointers to the configuration information for the connection, and the identity information for the user. RAS always passes in a value for the pszIdentity member of PPP_EAP_INPUT. However, the pszPassword member of PPP_EAP_INPUT may be NULL.

Within the PPP_EAP_INPUT structure, the **fAuthenticator****member indicates whether the authentication protocol is being invoked to be authenticated (on the client) or as the authenticator (on the server).

On the server, the bInitialID member of PPP_EAP_INPUT specifies the identifier that the server should use for the first EAP packet. The server should increment this identifier for subsequent packets.

Also on the server, the pUserAttributes pointer in PPP_EAP_INPUT points to an array of attributes of the RAS_AUTH_ATTRIBUTE_TYPE type. These are attributes for the user that were obtained from the client.

If the RasEapBegin call returns any value other than NO_ERROR, the session is disconnected. The returned error is logged (on the server), or displayed to the user (on the client).

See Also

EAP Implementation Details | EAP Installation | RasEapInvokeConfigUI | RasEapMakeMessage | RasEapGetIdentity | RasEapBegin | RasEapEnd | PPP_EAP_INPUT | RAS_AUTH_ATTRIBUTE_TYPE

 Last updated on Thursday, April 08, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.