Export (0) Print
Expand All

EAP Method Properties

Used by supplicants and authenticators to determine the EAP methods to be used with a given supplicant or authenticator. Method properties also specify the configuration of a method.

For example, the 802.1X supplicant may require methods to have certain properties for use with the 802.1X supplicant. Keying material, for example, is a requirement.

The properties supported by EAP methods are listed. Properties are stored as registry key values. For more information, see the EAP Peer Method DLL Registry Key section of the topic Registry Configuration for EAP Methods.

eapPropCipherSuiteNegotiation
0x00000001

The method allows the cipher suite to be negotiated for the purpose of data encryption. Windows Server 2008 supports the following 3DES cipher suites:

  • TLS_RSA_WITH_3DES_EDE_CBC_SHA (TLS & SSL 3)
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (TLS & SSL 3)
  • SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (SSL 2 if enabled)

For more information about the TLS 1.0 security protocol, see RFC 2246.

eapPropMutualAuth
0x00000002

The method provides an exchange, in which the authenticator authenticates the peer and vice versa.

eapPropIntegrity
0x00000004

The method provides data origin authentication and protection against unauthorized modification of information for EAP packets, including EAP requests and responses. When making this claim, a method specification must specify the protected EAP packets and protected fields within EAP packets.

eapPropReplayProtection
0x00000008

The method can protect against replay of an EAP method or its messages. Success and failure result indications cannot be replayed.

eapPropConfidentiality
0x00000010

The method can encrypt EAP messages. EAP requests, EAP responses, success result indications, and failure result indications are encrypted. A method making this claim must support identity protection.

eapPropKeyDerivation
0x00000020

The method can derive exportable keying material, such as the Master Session Key (MSK) and the Extended Master Session Key (EMSK). The MSK is used only for further key derivation, not directly for protection of the EAP conversation or subsequent data. Use of the EMSK is reserved.

eapPropKeyStrength64
0x00000040

The minimum key length supported by the EAP method is 64 bits.

eapPropKeyStrength128
0x00000080

The minimum key length supported by the EAP method is 128 bits.

eapPropKeyStrength256
0x00000100

The minimum key length supported by the EAP method is 256 bits.

eapPropKeyStrength512
0x00000200

The minimum key length supported by the EAP method is 512 bits.

eapPropKeyStrength1024
0x00000400

The minimum key length supported by the EAP method is 1024 bits.

eapPropDictionaryAttackResistance
0x00000800

The method does not allow an offline attack that has a work factor based on the number of passwords in an attacker's dictionary. Where password authentication is used, passwords are commonly selected from a small set (as compared to a set of N-bit keys), which raises a concern about dictionary attacks. A method may be said to provide protection against dictionary attacks if, when it uses a password as a secret, the method does not allow an offline attack that has a work factor based on the number of passwords in an attacker's dictionary.

eapPropFastReconnect
0x00001000

The method has the ability, in the case where a security association has been previously established, to create a new or refreshed security association more efficiently or in a smaller number of round-trips.

eapPropCryptoBinding
0x00002000

The method demonstrates to the EAP server that a single entity has acted as the EAP peer for all methods executed within a tunnel method. Binding may also imply that the EAP server demonstrates to the peer that a single entity has acted as the EAP server for all methods executed within a tunnel method. If executed correctly, binding serves to mitigate man-in-the-middle vulnerabilities.

eapPropSessionIndependence
0x00004000

The method demonstrates that passive attacks (such as capture of the EAP conversation) or active attacks (including compromise of the MSK or EMSK) do not compromise subsequent or prior MSKs or EMSKs.

eapPropFragmentation
0x00008000

The method can support fragmentation and reassembly if EAP packets exceed the minimum MTU (maximum transmission unit) of 1020 octets.

eapPropChannelBinding
0x00010000

The method can communicate integrity-protected channel properties, such as endpoint identifiers, which can be compared to values communicated using out of band mechanisms - such as an Authentication, Authorization, and Accounting (AAA) or the lower layer protocol.

eapPropNap
0x00020000

The method supports Network Access Protection (NAP).

eapPropStandalone
0x00040000

The method can be used on a standalone machine.

eapPropMppeEncryption
0x00080000

The method supports Microsoft Point-to-Point Encryption (MPPE) protocol encryption.

eapPropTunnelMethod
0x00100000

The method supports tunneling of other EAP methods.

eapPropSupportsConfig
0x00200000

The method supports configurable properties, and has a user interface.

eapPropCertifiedMethod
0x00400000

The method was certified by the EAP Certification Program. This bit should only be sent by EAP methods that have passed certification.

eapPropmachineAuth
0x01000000

Windows 7 or later: The method can be used to authenticate a machine on to a network using the machines credentials.

eapPropUserAuth
0x02000000

Windows 7 or later: The method can be used to authenticate a user on to a network using the users credentials.

eapPropIdentityPrivacy
0x04000000

Windows 7 or later: The method supports sending the user identity in a protected channel.

eapPropMethodChaining
0x08000000

Windows 7 or later: The method is a tunnelled method and supports EAP method chaining within the tunnel.

eapPropSharedStateEquivalence
0x10000000

Windows 7 or later: The method supports shared state equivalence as defined in RFC 4017.

eapPropReserved
0x80000000

Reserved. Not used.

Requirements

Minimum supported client

Windows Vista [desktop apps only]

Minimum supported server

Windows Server 2008 [desktop apps only]

Header

Eaptypes.h

See also

Registry Keys for EAP Methods
Common EAPHost Constants

 

 

Community Additions

ADD
Show:
© 2014 Microsoft