EAP Method Properties

Used by supplicants and authenticators to determine the EAP methods to be used with a given supplicant or authenticator. Method properties also specify the configuration of a method.

For example, the 802.1X supplicant may require methods to have certain properties for use with the 802.1X supplicant. Keying material, for example, is a requirement.

The properties supported by EAP methods are listed. Properties are stored as registry key values. For more information, see the EAP Peer Method DLL Registry Key section of the topic Registry Configuration for EAP Methods.

eapPropCipherSuiteNegotiation

0x00000001

The method allows the cipher suite to be negotiated for the purpose of data encryption. Windows Server 2008 supports the following 3DES cipher suites:

• TLS_RSA_WITH_3DES_EDE_CBC_SHA (TLS & SSL 3)
• TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (TLS & SSL 3)
• SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (SSL 2 if enabled)

For more information about the TLS 1.0 security protocol, see RFC 2246.

eapPropMutualAuth

0x00000002

The method provides an exchange, in which the authenticator authenticates the peer and vice versa.

eapPropIntegrity

0x00000004

The method provides data origin authentication and protection against unauthorized modification of information for EAP packets, including EAP requests and responses. When making this claim, a method specification must specify the protected EAP packets and protected fields within EAP packets.

eapPropReplayProtection

0x00000008

The method can protect against replay of an EAP method or its messages. Success and failure result indications cannot be replayed.

eapPropConfidentiality

0x00000010

The method can encrypt EAP messages. EAP requests, EAP responses, success result indications, and failure result indications are encrypted. A method making this claim must support identity protection.

eapPropKeyDerivation

0x00000020

The method can derive exportable keying material, such as the Master Session Key (MSK) and the Extended Master Session Key (EMSK). The MSK is used only for further key derivation, not directly for protection of the EAP conversation or subsequent data. Use of the EMSK is reserved.

eapPropKeyStrength64

0x00000040

The minimum key length supported by the EAP method is 64 bits.

eapPropKeyStrength128

0x00000080

The minimum key length supported by the EAP method is 128 bits.

eapPropKeyStrength256

0x00000100

The minimum key length supported by the EAP method is 256 bits.

eapPropKeyStrength512

0x00000200

The minimum key length supported by the EAP method is 512 bits.

eapPropKeyStrength1024

0x00000400

The minimum key length supported by the EAP method is 1024 bits.

eapPropDictionaryAttackResistance

0x00000800

The method does not allow an offline attack that has a work factor based on the number of passwords in an attacker's dictionary. Where password authentication is used, passwords are commonly selected from a small set (as compared to a set of N-bit keys), which raises a concern about dictionary attacks. A method may be said to provide protection against dictionary attacks if, when it uses a password as a secret, the method does not allow an offline attack that has a work factor based on the number of passwords in an attacker's dictionary.

eapPropFastReconnect

0x00001000

The method has the ability, in the case where a security association has been previously established, to create a new or refreshed security association more efficiently or in a smaller number of round-trips.

eapPropCryptoBinding

0x00002000

The method demonstrates to the EAP server that a single entity has acted as the EAP peer for all methods executed within a tunnel method. Binding may also imply that the EAP server demonstrates to the peer that a single entity has acted as the EAP server for all methods executed within a tunnel method. If executed correctly, binding serves to mitigate man-in-the-middle vulnerabilities.

eapPropSessionIndependence

0x00004000

The method demonstrates that passive attacks (such as capture of the EAP conversation) or active attacks (including compromise of the MSK or EMSK) do not compromise subsequent or prior MSKs or EMSKs.

eapPropFragmentation

0x00008000

The method can support fragmentation and reassembly if EAP packets exceed the minimum MTU (maximum transmission unit) of 1020 octets.

eapPropChannelBinding

0x00010000

The method can communicate integrity-protected channel properties, such as endpoint identifiers, which can be compared to values communicated using out of band mechanisms - such as an Authentication, Authorization, and Accounting (AAA) or the lower layer protocol.

eapPropNap

0x00020000

The method supports Network Access Protection (NAP).

eapPropStandalone

0x00040000

The method can be used on a standalone machine.

eapPropMppeEncryption

0x00080000

The method supports Microsoft Point-to-Point Encryption (MPPE) protocol encryption.

eapPropTunnelMethod

0x00100000

The method supports tunneling of other EAP methods.

eapPropSupportsConfig

0x00200000

The method supports configurable properties, and has a user interface.

eapPropCertifiedMethod

0x00400000

The method was certified by the EAP Certification Program. This bit should only be sent by EAP methods that have passed certification.

eapPropmachineAuth

0x01000000

Windows 7 or later: The method can be used to authenticate a machine on to a network using the machines credentials.

eapPropUserAuth

0x02000000

Windows 7 or later: The method can be used to authenticate a user on to a network using the users credentials.

eapPropIdentityPrivacy

0x04000000

Windows 7 or later: The method supports sending the user identity in a protected channel.

eapPropMethodChaining

0x08000000

Windows 7 or later: The method is a tunnelled method and supports EAP method chaining within the tunnel.

eapPropSharedStateEquivalence

0x10000000

Windows 7 or later: The method supports shared state equivalence as defined in RFC 4017.

eapPropReserved

0x80000000

Reserved. Not used.

Requirements

See also

Registry Keys for EAP Methods

Common EAPHost Constants