Skip to content

Latest commit

 

History

History
30 lines (19 loc) · 3.83 KB

authentication-protocol-initialization.md

File metadata and controls

30 lines (19 loc) · 3.83 KB
title description ms.assetid ms.topic ms.date ms.contributor
Authentication Protocol Initialization
The EAP secured connection is initialized between the client and server in similar ways for RAS and wireless (802.1X) clients.
1cd5bfc9-2ba3-477c-9bbb-73578a5623c2
article
06/14/2023
samyun

Authentication Protocol Initialization

The EAP secured connection is initialized between the client and server in similar ways for RAS and wireless (802.1X) clients.

Client

When the client attempts to establish the connection, the authentication service obtains identity information for the user. If the RAS_EAP_VALUENAME_INVOKE_NAMEDLG value is present in the registry for this authentication protocol and this value is set to zero, the authentication service calls RasEapGetIdentity. This function typically displays a user interface that allows the identity information to be of a type specific to the authentication protocol; for example, a certificate or numeric ID. If RAS_EAP_VALUENAME_INVOKE_NAMEDLG is not present, or is set to one, the authentication service displays the standard system user-name dialog.

Once the authentication service has obtained the identity information for the user, it calls the authentication protocol's implementation of RasEapBegin. This call allows the authentication protocol to allocate and initialize a work buffer that the service passes on subsequent calls to RasEapMakeMessage and RasEapEnd. The work buffer is opaque to the service and never accesses the contents of the work buffer. If the authentication protocol creates a distinct work buffer for each EAP session, then the work buffer is session and thread safe. Because the authentication protocol allocates the memory for the work buffer, the authentication protocol should also free this memory using the RasEapFreeMemory function.

In the call to RasEapBegin, the service also passes a PPP_EAP_INPUT structure that contains pointers to the configuration information for the connection, and the identity information for the user. The service always passes in a value for the pszIdentity member of PPP_EAP_INPUT. However, the pszPassword member of PPP_EAP_INPUT may be NULL.

Within the PPP_EAP_INPUT structure, the fAuthenticator member indicates whether the authentication protocol is being invoked to be authenticated (on the client) or as the authenticator (on the server).

Server

On the server, the bInitialID member of PPP_EAP_INPUT specifies the ID that the server uses for the first EAP packet. The server increments this ID for subsequent packets.

Also on the server, the pUserAttributes pointer in PPP_EAP_INPUT points to an array of attributes of the RAS_AUTH_ATTRIBUTE_TYPE type. These are attributes for the user that were obtained from the client.

If the RasEapBegin call returns any value other than NO_ERROR, the session is disconnected. The returned error is logged (on the server), or displayed to the user (on the client).