Extensible Authentication Protocol (EAP) Test - Peer Tunnel Method

Overview

The Extensible Authentication Protocol (EAP) Test is used by the EAP Certification Program (ECP).

Details

The EAP Test is comprised of testing methods:

  • Peer Method
  • Peer Tunnel Method
  • Authenticator Method
  • Network Supplicant

This description applies to the Peer Tunnel Method.

Requirements

Software Requirements

The test tool runs on the following Windows operating systems:

  • Windows Server 2008 Release 2
  • Windows 7
  • Windows Server 2008
  • Windows Vista
  • Software components included with the device that is being tested.

Hardware Requirements

  • Device to be tested
  • Computer that meets the minimum software requirements
  • Windows keyboard
  • Two-button pointing device
  • Color display monitor capable of at least 1024 by 768 resolution, 32-bits per pixel, 60 Hz

  • Hard drive with a minimum of 20 GB available on partition C:
  • Processor

 

Running Extensible Authentication Protocol (EAP) Test - Peer Tunnel Method

For Peer Tunnel Method:

 

144.2.1 - EAP Method Submissions MUST include 32-bit x86 binaries

This test verifies submission of 32-bit x86 binary.

 

Overview

The test performs the following steps:

  • It checks whether submission has only one x86 binary for the tunnelling method.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • x86 binary is not present in the package.

 

144.2.2 - EAP Method Submissions MUST include 64-bit x64 binaries

This test verifies submission of 64-bit x64 binary.

 

Overview

The test performs the following steps:

  • It checks whether submission has only one x64 binary for the tunnelling method.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • x64 binary is not present in the package.

 

144.2.3 - EAP Methods MUST NOT disable or impair the functionality of other system components during the operation

This test verifies that the submission doesn’t impair the windows or other components during operation

 

Overview

Self Explanatory

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Submission impairs the system functionality during its operation.

 

145.2.1 - All ECP EAP Method Submissions will be packaged in an INF.

This test verifies that the submission has packaged INF file.

 

Overview

The test performs the following steps:

  • Checks for the valid INF file in the package location.
  • Checks for various sections for valid installation of the INF file.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • INF file is not present in the package location.
  • INF file does not contain the valid install section.

 

145.2.2 - ECP EAP Method Submission INF installers MUST allow for installation and uninstall.

This test verifies that submitted INF installers should allow for installation and uninstallation.

 

Overview

The test performs the following steps:

  • Checks that Install section is present in the INF file.
  • Checks that Uninstall section is present in the INF file.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • INF file does not contain the install section.
  • INF file does not contain the uninstall section.

 

145.2.3 - ECP Method Submissions MUST NOT require reboot after installation to function properly

This test verifies that installation of method does not require a reboot.

 

Overview

The test performs the following steps:

  • Uninstall the method if it is already installed.
  • Install the method.
  • Checks for certain registry locations which need to be updated if reboot is need for install.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Installation process adds the entries to certain registry location which are necessary for reboot.

 

145.2.4 - EAP Methods MUST NOT disable or otherwise modify other installed components as part of installation.

This test verifies that installation of method does not modify the registry or file system, other than its own space.

 

Overview

The test performs the following steps:

  • Uninstall the method if it is already installed.

  • Install the method.
  • Verifies that all the registry updates are done as part of installation under the following key:

    HKLM\System\CurrentControlSet\Services\EapHost\Methods\AuthId\TypeId

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Installation process adds the entries to registry location other than the one specified.

 

145.2.5 - EAP Methods MUST remove all configuration data and files on removal/uninstall.

This test verifies that uninstall should remove all the configuration data.

 

Overview

The test performs the following steps:

  • Get the list of all the files copied during installation.
  • Check if all these files have been removed.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • If there is a mismatch between the files copied during installation and files removed during uninstall.

 

145.2.6 - Removal of an EAP method must be performed through device uninstall using the device manager.

This test verifies that uninstall should be done with the help of device manager.

 

Overview

The test performs the following steps:

  • Uninstalls the package.
  • Check for the absence of registry entries.
  • Install the package.
  • Check for the presence of registry entries.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Uninstall/installation of the package is unsuccessful.
  • Registry entries are present after uninstall.
  • Registry entries are absent after install.

 

146.2.1 - EAP Peer tunnel methods will successfully complete one hour of end-to-end authentications. There should not be any observable resource leaks.

 

Overview

Runs the end-to-end authentications for one hour and validates that leaks are not present in the process.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Huge memory or handle leak is observed while running the stress.

 

146.2.2 - EAP Peer tunnel methods will successfully survive 100,000 cycles of loading and unloading the method DLL without error. There should not be any observable resource leaks.

 

Overview

This test performs the 100,000 cycles of loading and unloading of method dlls and validates the performance parameters.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Huge memory or handle leak is observed while running the stress.
  • Failed to load or unload.

 

146.2.3 - All implemented EAP method APIs will successfully survive one hour of comprehensive API fuzz testing without error. There should not be any observable resource leaks

 

Overview

This test performs the hour long fuzzing of all the EAP APIs exported by method dlls and validates the performance parameters.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Huge memory or handle leak is observed while running the stress.
  • Failed to call the API.

 

146.2.4 - EAP Peer Methods will successfully survive end-to-end negative authentication stress for a period of one hour.

 

Overview

Runs the end-to-end failure authentications for one hour and validates that leaks are not present in the process.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Huge memory or handle leak is observed while running the stress.
  • Test case should not crash the application.

 

147.2.1 - If the method is a password or smart card based test case, it should not write password or pin in traces or event logs (Manual).

This test verifies that EAP method does not write password information in the trace logs. This test case needs user interaction in DTM client side.

 

Overview

The test performs the following steps:

  • Checks the status of the trace file.
  • Runs the Authentication session with the method.
  • Ensure that method has written to trace logs.
  • Verify that the password is not present in the trace logs.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • As part of authentication method writes password information into the trace logs.

 

User Interactions

User has to do the following tasks:

  • In the DTM studio schedule the job which has the Test case id as 147.2.1, then at the DTM client the following interactions are needed.
  • Enable the method specific trace (which will be written to C:\windows\tracing) and then press Ok.
  • An authentication session will be run as part of the test case.
  • Disable the method trace and then press Ok.
  • The trace file will be displayed in notepad.
  • Verify whether the trace has password information
  • Enter the appropriate choice (Yes/No) in the dialog box that follows.
  • End of the test case.

 

148.2.1 - All data for a given EAP method will be located under HKLM\SYSTEM\CurrenTControlSet\Services\EAPHost\Methods

This test verifies that installation of method does not modify the registry, other than its allocated space.

 

Overview

The test performs the following steps:

  • Uninstall the method if it is already installed.
  • Install the method.
  • Verifies that all the registry updates are done as part of installation under the following key:

    HKLM\System\CurrentControlSet\Services\EapHost\Methods\<AuthId>\<TypeId>

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Installation process adds the entries to registry location other than the one specified.

 

148.2.2 - All Vendors who submit methods to the ECP will acquire a valid Enterprise-ID from IANA (Manual).

This test verifies that registry should have the enterprise id at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EAPHost\Methods\<VendorIANAid>

 

Overview

The test performs the following steps:

  • Validate if the enterprise-id is in the acceptable range.
  • If it’s an expanded EAP type, then check if Vendor id is inacceptable range or not.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • If there is enterprise id /vendor id is in inacceptable range.

 

148.2.3 - The Vendor Registry Key under which all vendor method configuration data is stored will contain a string value which identifies the vendor name corresponding to the vendor’s enterprise-id.

This test verifies that registry should have the enterprise id at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EAPHost\Methods\<VendorIANAid>

And the registry location has a default string value or a value “Name” which specifies the Vendor name

 

Overview

The test performs the following steps:

  • Check if the name present at this registry location matches with the Vendor Name corresponding to the vendor’s enterprise id.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • If there is a mismatch in names.

 

148.2.4 - All files that are added to the system by the installation package (INF) are to be physically located under the Windows “Program Files: directory in a private sub-directory that reasonably reflects the nature of the ECP submission.

This test verifies that files added by package should be only under Program files. 

 

Overview

The test performs the following steps:

  • Check the install section of inf file. All the files added should be located 1 folder under Program files.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • If install section tries to copy file at some other location.

 

148.2.5 - EAP Methods MUST add their default registry keys using regsvr32 facility

This test verifies that method should be installed using regsvr32.exe

 

Overview

The test performs the following steps:

  • Uninstall the method using regsvr32.
  • Install the method using regsvr32.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • If uninstall or install fails.

 

149.2.1 - EAP Methods will produce a human-readable debug tracing log that enables administrators or other users to investigate and determine the cause of failures (Manual)

This test verifies that EAP method produce human readable trace logs. This test case needs user interaction in DTM client side.

 

Overview

The test performs the following steps:

  • Checks the status of the trace file.
  • Runs the Authentication session with the method.
  • Ensure that method has written to trace logs.
  • Verify that the trace logs are human readable.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • As part of authentication method writes non human readable characters to the trace logs.

 

User Interactions

User has to do the following tasks.

  • In the DTM studio schedule the job which has the Test case id as 149.2.1, then at the DTM client the following interactions are needed.
  • Enable the method specific trace (which will be written to C:\windows\tracing) and then press Ok.
  • An authentication session will be run as part of the test case.
  • Disable the method trace and then press Ok.
  • The trace file will be displayed in notepad.
  • Verify whether trace file is human readable or not and then close the file.
  • Enter the appropriate choice (Yes/No) in the dialog box that follows.
  • End of the test case.

 

149.2.2 - EAP Method debug tracing will be turned-off by default

This test verifies that Method tracing should be disabled by default.

 

Overview

The test performs the following steps:

  • Check the state of trace file.
  • Run an authentication session.
  • Check the trace file.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • If log gets added during the authentication session.

 

150.2.1 - The EAP Method Binary MUST export all mandatory APIs

 

Overview 

Reads the exports of the method dll and validates them.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Method does not export mandatory API.

 

150.2.2 - ECP Submissions MUST NOT includes any binaries that are expected to execute in kernel-mode. ECP Submissions are expressly prohibited from shipping kernel-mode drivers of any kind (ie., .SYS, etc)

 

Overview 

Reads all the binaries imported by the method and validates them.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Method uses any binaries expected to execute in kernel-mode.

 

150.2.3 - EAP Method Submissions MUST NOT take a dependency on .NET framework

 

Overview 

Reads the dependencies of the method dll and validates them.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Method depends on .NET framework.

 

150.2.4 - EAP Methods MUST demonstrate successful end-to-end authentication

 

Overview 

Runs an end-to-end authentication.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Authentication fails.

 

150.2.5 - EAP Method MUST NOT make any assumptions about the underlying transport.

 

Overview 

Runs authentication session with the EAP Method and finds the assumptions made on transport layer.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Method depends upon underlying transport layer.

 

150.2.6 - All implemented EAP method APIs will successfully survive comprehensive API fuzz testing without error, including observable resource leaks

 

Overview 

All the implemented EAP Method APIs are subjected to API fuzz testing.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Observable resource leaks are found.

 

150.2.7 - EAP Methods MUST NOT load any DLLs  or cause to be loaded any DLLs that are not provided with the submission or provided by Windows itself

 

Overview 

Runs the end-to-end authentication session and find all the loaded dlls by the method.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • EAP method loads any dll other than the submission dlls and system dlls.

 

150.2.8 - EAP Methods MUST NOT initiate, terminate or pass-through any IPC

 

Overview 

Network interaction is prohibited for any EAP method. If the method interacts with the network in anyway (initiate, terminate, pass through network connections)

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • EAP method involves in IPC communication.

 

150.2.10 - EAP Method Submissions MUST include a peer method implementation

 

Overview 

Submission should have only one peer method.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • If submission has more than one peer method.

 

150.2.28 - EAP Methods MUST support UI suppression request bit through EapHostPeerBeginSession()  suppressing informational UI.

 

Overview 

If suppression request bit is set in begin session then UI should not be raised.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • UI is raised.

 

150.2.29 - EAP Methods MUST support alternate credentials bit through EapHostPeerBeginSession().

 

Overview 

If alternate credentials bit are passed, the credentials passed in BeginSession should be used.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Other credentials are used.

 

150.2.30 - EAP Methods MUST always perform legal state transitions.

 

Overview 

A complete authentication session should not leave Eaphost state machine in incomplete state.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • EapHost State machine is not completed.

 

150.2.31 - EAP Methods must implement Peer runtime routines for all these functions

 

Overview 

All the EAP Peer Method runtime method routines need to be implemented.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Any runtime API is not implemented.

 

150.2.32 - EAP Methods MUST provide an XML schema that defines and is used to validate XML configuration documents.

 

Overview 

XML Schema for configuration data need to be provided with submission package.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • XML schemas are not provided.

 

150.2.33 - EAP Methods MUST pass configuration XML to BLOB, configuration BLOB to XML inter-conversion test

 

Overview 

XML config to blob and blob to xml APIs must be implemented.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Not implemented or not working.

 

151.2.1 - EAP Method Submissions MUST accurately set appropriate security and property descriptor bits for the EAP method.

 

Overview 

The method must set correctly security descriptors. Our tools will test to verify that the methods actually support these

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Security or Property descriptors wrongly set.

 

153.2.1 - EAP Methods that export keys must export them only to EAPHost and to no other destination. The keys will be delivered directly to the lower layer for consumption and use entirely at that layer. Keys may not be distributed outside of the lower layer per RFC. The keys must be exported in the following manner: MSK using the MS-MPPE extension. EMSK using the EMSK Extension (Manual).

 

Overview 

The method must not handle key distribution. It's potentially very compromising to handle, store or export these key

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Key is exposed to other components.

 

154.2.1 - Tunnelling EAP methods must support EAPHost methods as inner method.

 

Overview 

EAP Method must support any EapHost based method as inner method.

 

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Does not supports EapHost based method in inner method.


Send feedback on this topic
Built on December 10, 2009
Show: