2.2.3.2.5 EapTlsConnectionProperties

The Microsoft implementation of EAP-TLS overrides the abstract type BaseEapTypeParameters with type EapTlsConnectionPropertiesV1. This type is defined to be a string formatted according to the XML schema in section 6.8.1, and imports EapTlsConnectionPropertiesV2 from the schema in section 6.8.2.<29> The EapTlsConnectionPropertiesV1 type defines the following elements:

CredentialsSource: An element of type CredentialsSourceParameters, containing one of the following elements:

SmartCard: An empty string whose presence indicates that the certificate is to be obtained from a SmartCard available to the operating system.

CertificateStore: An element whose presence indicates that the certificate is to be obtained from the operating system certificate store. This element can also contain the following element:

SimpleCertSelection: An optional Boolean. If TRUE or absent, then the method will automatically select a certificate for authentication without user interaction, if possible. If FALSE, the method will always prompt the user to select a certificate.

ServerValidation: An element of type ServerValidationParameters (section 2.2.3.2.8) as specified in section 2.2.3.2.8.

DifferentUsername: A Boolean. If TRUE, specifies that a different user name is to be used for EAP Identity response than the one present in the certificate. If FALSE, EAP uses the same identity as in the certificate's alternate subject name.

The EapTlsConnectionPropertiesV2 schema (section 6.8.2) in section 6.8.2 defines the following additional elements:

PerformServerValidation: An optional Boolean which indicates whether server validation is performed.

AcceptServerName: An optional Boolean which indicates whether the server name is validated against the name string specified in the ServerNames (ServerValidationParameters) element.

TLSExtensions: An optional container for elements of other namespaces which enables future enhancements to the schema.

The EapTlsConnectionPropertiesV3 (section 6.8.3) schema defines the following elements:<30>

FilteringInfo: An element of type FilterInfoParams containing the following elements:

AllPurposeEnabled: An optional Boolean that indicates whether all-purpose certificates are allowed for authentication on the client. If set to TRUE, all-purpose certificates are allowed. If set to FALSE or absent, all-purpose certificates are not allowed.

CAHashList: An element of type CAHashListParams containing the following elements:

IssuerHash: The thumbprint of a root certification authority that issues certificates that can be allowed on a client for authentication. It is represented as the hexadecimal encoding of the SHA-1 hash of the certificate. Multiple such elements can be present.

Enabled: Defined as an attribute of CAHashListParams that indicates whether the certificates on the client are to be filtered based on the CA hash as specified by one or more IssuerHash elements. If set to TRUE, certificates are filtered based on specified CAs. If set to FALSE, certificate filtering is not done based on CAs.

EKUMapping: An element of type EKUMapParams that contains the following element:

EKUMap: This element can be present multiple times, indicating multiple EKU Name and OID mappings. It is an element of type EKUMapPair that contains the following elements:

EKUName: An element of type string specifying the name of the EKU.

EKUOID: An element of type string specifying the EKU OID corresponding to the name specified by the EKUName element.

ClientAuthEKUList: An optional element of type EKUListParams.

AnyPurposeEKUList: An optional element of type EKUListParams.

EKUListParams: Type used by ClientAuthEKUList and AnyPurposeEKUList for specifying the EKUs to be used for filtering certificates on the client. It contains the following elements:

Enabled: Defined as an attribute of EKUListParams that indicates whether the certificates on the client are to be filtered based on the EKU list as specified by one or more EKUMapInList elements. If set to TRUE, certificates are filtered based on the specified EKU list. If set to FALSE, certificate filtering is not done based on the EKU list.

EKUMapInList: This element can be present multiple times, indicating multiple EKUs. Both EKUName and EKUOID need not be specified if the mapping between EKU Name and OID is already defined in the EKUMapping element. The EKUMapping element is an element of type EKUListPair that contains the following elements:

EKUName: An element of type string specifying the name of the EKU.

EKUOID: An element of type string specifying the EKU OID.

Extensions: An optional container for elements of other namespaces that enables future enhancements to the schema.