Authentication Protocol Initialization
The EAP secured connection is initialized between the client and server in similar ways for RAS and wireless (802.1X) clients.
Client
When the client attempts to establish the connection, the authentication service obtains identity information for the user. If the RAS_EAP_VALUENAME_INVOKE_NAMEDLG value is present in the registry for this authentication protocol and this value is set to zero, the authentication service calls RasEapGetIdentity. This function typically displays a user interface that allows the identity information to be of a type specific to the authentication protocol; for example, a certificate or numeric ID. If RAS_EAP_VALUENAME_INVOKE_NAMEDLG is not present, or is set to one, the authentication service displays the standard system user-name dialog.
Once the authentication service has obtained the identity information for the user, it calls the authentication protocol's implementation of RasEapBegin. This call allows the authentication protocol to allocate and initialize a work buffer that the service passes on subsequent calls to RasEapMakeMessage and RasEapEnd. The work buffer is opaque to the service and never accesses the contents of the work buffer. If the authentication protocol creates a distinct work buffer for each EAP session, then the work buffer is session and thread safe. Because the authentication protocol allocates the memory for the work buffer, the authentication protocol should also free this memory using the RasEapFreeMemory function.
In the call to RasEapBegin, the service also passes a PPP_EAP_INPUT structure that contains pointers to the configuration information for the connection, and the identity information for the user. The service always passes in a value for the pszIdentity member of PPP_EAP_INPUT. However, the pszPassword member of PPP_EAP_INPUT may be NULL.
Within the PPP_EAP_INPUT structure, the fAuthenticator member indicates whether the authentication protocol is being invoked to be authenticated (on the client) or as the authenticator (on the server).
Server
On the server, the bInitialID member of PPP_EAP_INPUT specifies the ID that the server uses for the first EAP packet. The server increments this ID for subsequent packets.
Also on the server, the pUserAttributes pointer in PPP_EAP_INPUT points to an array of attributes of the RAS_AUTH_ATTRIBUTE_TYPE type. These are attributes for the user that were obtained from the client.
If the RasEapBegin call returns any value other than NO_ERROR, the session is disconnected. The returned error is logged (on the server), or displayed to the user (on the client).
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for