This topic provides answers to commonly-asked programming questions about EAP method authoring.
What is "configuration data"?
The terms "configuration data" and "connection data" are synonymous.
What is "connection data"?
data" is an EAP method-specific opaque BLOB that contains configuration information for the method. This connection data is created by the method when it is initially configured and is never interpreted or modified by any other component than the EAP method itself.
What are "credentials"?
The terms "credentials" and "user data" are synonymous.
What is "user data"?
data" is an EAP method-specific opaque BLOB that contains user credential data, such as a user name and password. The user data is never interpreted or modified by any other component than the EAP method itself. The terms "user data" and "credentials" are synonymous.
What is an "EAP attribute"?
An "EAP attribute" is a data structure that contains a predetermined type of data. Attributes are used to communicate information between EAP methods and supplicants, or between EAP methods and authenticators. Peer and authenticator implementations of an EAP method may exchange these attributes over a network.
Can the configuration API and the run-time API appear in the same method DLL?
Yes. Be sure to specify the distinction when configuring the registry entries for the EAP method itself. The configuration path and peer path must be the same.
Can the configuration API and the run-time API appear in separate method DLLs?
Yes. Be sure to specify the distinction when configuring the registry entries for the EAP method itself. The configuration and peer paths must point to the correct DLLs.
How do I install an EAP method?
To install an EAP method, you must first implement DllRegisterServer and DllUnregisterServer in the EAP method DLL itself. After that, use regsvr32.exe to install and uninstall the method. The appropriate registry keys must also be set. For more information, see Installing an EAP Method.
What is in-band Network Access Protection (NAP) support?
When in-band NAP support is enabled, NAP packets are transported inside EAP method packets. In contrast, when out-of-band NAP support is enabled, the NAP Statement of Health (SoH) exchange occurs through means other than internal to EAP method packets, and NAP-generated certificates are used in EAP method authentication.
Can I enable in-band NAP support for my EAP method?
Yes, in-band NAP support for your EAP method can be enabled. For more information, see Enabling In-Band NAP Support for EAP Methods.
How does EAP Flexible Authentication via Secure Tunneling (EAP-FAST) work?
The EAP-FAST scenario works as follows.
- The method processes a password change at single-sign-on (SSO) employing the method UI.
- The method returns the [eatCredentialsChanged](/windows/desktop/api/eaptypes/ne-eaptypes-eap_attribute_type) attribute.
- The supplicant indicates to the user that credentials have changed and requests the user to re-enter their credentials.
- The supplicant re-enters the user credentials, and sends those credentials to the method.
What is Pre-Shared Key(PSK)?
A method of transmitting and receiving digital signals in which the phase of a transmitted signal is varied to convey information. The EAPConfigInputPSK input field contains the user's EAP-FAST PSK.
What is WOW and how does it matter to EAPHost?
Microsoft Windows-32-bit-On-Windows-64-bit (WOW) is an operating system component in 64-bit Windows that supports 32-bit x86 platform application. Typically, a EAP method author would define some form of C/C++ structure to encapsulate configuration data, credential data, and interactive UI data. To avoid incompatibilities in WOW and other scenarios, it is important to ensure that data structures are aligned similarly in different processor architectures (32-bit and 64-bit processors). Typically dummy padding is used to align the fields so that the configuration, credential and interactive UI data are identical on both 32-and 64-bit processors.
What are "action codes" and under what conditions are these action codes returned?
"Action codes" allow methods to control the flow of authentication, and are integral to the state machine. They are values returned by an EAP method to indicate the next action the EAPHost should take. For example, an action code could indicate to EAPHost that the EAP method has a packet ready for transmission. The supplicant abides by all action codes returned by an EAP method, but never issues action codes.For more information, see EAP Peer Supplicant Action Codes.
When does a method return "EapPeerMethodResponseActionDiscard", and what does this action code mean to EAPHost?
EapPeerMethodResponseActionDiscard is returned by an EAP method to indicate to the EAPHost that it must discard the packet it supplied to the method. Specifically, the method has determined that the packet is invalid. EAPHost then waits for the next package.
When does a method return "EapPeerMethodResponseActionSend" and what does this action code mean to EAPHost?
EapPeerMethodResponseActionSend is returned by an EAP method to indicate to EAPHost that the next packet received by EAPHost must be sent to the network access server (NAS).
When does a method return "EapPeerMethodResponseActionResult" and what does this action code mean to EAPHost?
EapPeerMethodResponseActionResult is returned by an EAP method to indicate to the EAPHost that the authentication session has concluded and that the results of that session are available.
When does a method return "EapPeerMethodResponseActionInvokeUI" and what does this action code mean to EAPHost?
EapPeerMethodResponseActionInvokeUI is returned by an EAP method to indicate to EAPHost that user input is required to continue with authentication, and that a user interface dialog box must be displayed to obtain that input. Once the user input data has been obtained, EAPHost can call the EAP method again with the updated UI context data.
When does a method return "EapPeerMethodResponseActionRespond" and what does this action code mean to EAPHost?
EapPeerMethodResponseActionRespond is returned by an EAP method to indicate to EAPHost that the EAP method has attributes available for EAPHost to use during authentication. EAPHost obtains the attributes by calling the EapPeerGetResponseAttributes method followed by a call to the EapPeerSetResponseAttributes method.
When does a method return "EapPeerMethodResponseActionNone" and what does this action code mean to EAPHost?
EapPeerMethodResponseActionNone is returned by an EAP method to indicate to EAPHost that no action is required at this time.
Can I enable tracing on the authenticator side?
Yes. For more information, see Enabling Tracing.