EAP Method Properties (Windows)

Switch View

EAP Method Properties

EAP Method Properties

Used by supplicants and authenticators to determine the EAP methods to be used with a given supplicant or authenticator. Method properties also specify the configuration of a method.

For example, the 802.1X supplicant may require methods to have certain properties for use with the 802.1X supplicant. Keying material, for example, is a requirement.

The properties supported by EAP methods are listed. Properties are stored as registry key values. For more information, see the EAP Peer Method DLL Registry Key section of the topic Registry Configuration for EAP Methods.

eapPropCipherSuiteNegotiation

0x00000001
The method allows the cipher suite to be negotiated for the purpose of data encryption. Windows Server 2008 supports the following 3DES cipher suites: TLS_RSA_WITH_3DES_EDE_CBC_SHA (TLS & SSL 3) TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (TLS & SSL 3) SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (SSL 2 if enabled) For more information about the TLS 1.0 security protocol, see RFC 2246.

eapPropMutualAuth

0x00000002
The method provides an exchange, in which the authenticator authenticates the peer and vice versa.

eapPropIntegrity

0x00000004
The method provides data origin authentication and protection against unauthorized modification of information for EAP packets, including EAP requests and responses. When making this claim, a method specification must specify the protected EAP packets and protected fields within EAP packets.

eapPropReplayProtection

0x00000008
The method can protect against replay of an EAP method or its messages. Success and failure result indications cannot be replayed.

eapPropConfidentiality

0x00000010
The method can encrypt EAP messages. EAP requests, EAP responses, success result indications, and failure result indications are encrypted. A method making this claim must support identity protection.

eapPropKeyDerivation

0x00000020
The method can derive exportable keying material, such as the Master Session Key (MSK) and the Extended Master Session Key (EMSK). The MSK is used only for further key derivation, not directly for protection of the EAP conversation or subsequent data. Use of the EMSK is reserved.

eapPropKeyStrength64

0x00000040
The minimum key length supported by the EAP method is 64 bits.

eapPropKeyStrength128

0x00000080
The minimum key length supported by the EAP method is 128 bits.

eapPropKeyStrength256

0x00000100
The minimum key length supported by the EAP method is 256 bits.

eapPropKeyStrength512

0x00000200
The minimum key length supported by the EAP method is 512 bits.

eapPropKeyStrength1024

0x00000400
The minimum key length supported by the EAP method is 1024 bits.

eapPropDictionaryAttackResistance

0x00000800
The method does not allow an offline attack that has a work factor based on the number of passwords in an attacker's dictionary. Where password authentication is used, passwords are commonly selected from a small set (as compared to a set of N-bit keys), which raises a concern about dictionary attacks. A method may be said to provide protection against dictionary attacks if, when it uses a password as a secret, the method does not allow an offline attack that has a work factor based on the number of passwords in an attacker's dictionary.

eapPropFastReconnect

0x00001000
The method has the ability, in the case where a security association has been previously established, to create a new or refreshed security association more efficiently or in a smaller number of round-trips.

eapPropCryptoBinding

0x00002000
The method demonstrates to the EAP server that a single entity has acted as the EAP peer for all methods executed within a tunnel method. Binding may also imply that the EAP server demonstrates to the peer that a single entity has acted as the EAP server for all methods executed within a tunnel method. If executed correctly, binding serves to mitigate man-in-the-middle vulnerabilities.

eapPropSessionIndependence

0x00004000
The method demonstrates that passive attacks (such as capture of the EAP conversation) or active attacks (including compromise of the MSK or EMSK) do not compromise subsequent or prior MSKs or EMSKs.

eapPropFragmentation

0x00008000
The method can support fragmentation and reassembly if EAP packets exceed the minimum MTU (maximum transmission unit) of 1020 octets.

eapPropChannelBinding

0x00010000
The method can communicate integrity-protected channel properties, such as endpoint identifiers, which can be compared to values communicated using out of band mechanisms - such as an Authentication, Authorization, and Accounting (AAA) or the lower layer protocol.

eapPropNap

0x00020000
The method supports Network Access Protection (NAP).

eapPropStandalone

0x00040000
The method can be used on a standalone machine.

eapPropMppeEncryption

0x00080000
The method supports Microsoft Point-to-Point Encryption (MPPE) protocol encryption.

eapPropTunnelMethod

0x00100000
The method supports tunneling of other EAP methods.

eapPropSupportsConfig

0x00200000
The method supports configurable properties, and has a user interface.

eapPropCertifiedMethod

0x00400000
The method was certified by the EAP Certification Program. This bit should only be sent by EAP methods that have passed certification.

eapPropmachineAuth

0x01000000
Windows 7 or later: The method can be used to authenticate a machine on to a network using the machines credentials.

eapPropUserAuth

0x02000000
Windows 7 or later: The method can be used to authenticate a user on to a network using the users credentials.

eapPropIdentityPrivacy

0x04000000
Windows 7 or later: The method supports sending the user identity in a protected channel.

eapPropMethodChaining

0x08000000
Windows 7 or later: The method is a tunnelled method and supports EAP method chaining within the tunnel.

eapPropSharedStateEquivalence

0x10000000
Windows 7 or later: The method supports shared state equivalence as defined in RFC 4017.

eapPropReserved

0x80000000
Reserved. Not used.

Requirements

Minimum supported client	Windows Vista
Minimum supported server	Windows Server 2008
Header	Eaptypes.h

Requirements

See Also