EAP Method Properties
Used by supplicants and authenticators to determine the EAP methods to be used with a given supplicant or authenticator. Method properties also specify the configuration of a method.
For example, the 802.1X supplicant may require methods to have certain properties for use with the 802.1X supplicant. Keying material, for example, is a requirement.
The properties supported by EAP methods are listed. Properties are stored as registry key values. For more information, see the EAP Peer Method DLL Registry Key section of the topic Registry Configuration for EAP Methods.
-
eapPropCipherSuiteNegotiation
-
-
0x00000001
-
The method allows the cipher suite to be negotiated for the purpose of data encryption. Windows Server 2008 supports the following 3DES cipher suites:
- TLS_RSA_WITH_3DES_EDE_CBC_SHA (TLS & SSL 3)
- TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (TLS & SSL 3)
- SSL_CK_DES_192_EDE3_CBC_WITH_MD5 (SSL 2 if enabled)
For more information about the TLS 1.0 security protocol, see RFC 2246.
-
-
eapPropMutualAuth
-
-
0x00000002
-
The method provides an exchange, in which the authenticator authenticates the peer and vice versa.
-
-
eapPropIntegrity
-
-
0x00000004
-
The method provides data origin authentication and protection against unauthorized modification of information for EAP packets, including EAP requests and responses. When making this claim, a method specification must specify the protected EAP packets and protected fields within EAP packets.
-
-
eapPropReplayProtection
-
-
0x00000008
-
The method can protect against replay of an EAP method or its messages. Success and failure result indications cannot be replayed.
-
-
eapPropConfidentiality
-
-
0x00000010
-
The method can encrypt EAP messages. EAP requests, EAP responses, success result indications, and failure result indications are encrypted. A method making this claim must support identity protection.
-
-
eapPropKeyDerivation
-
-
0x00000020
-
The method can derive exportable keying material, such as the Master Session Key (MSK) and the Extended Master Session Key (EMSK). The MSK is used only for further key derivation, not directly for protection of the EAP conversation or subsequent data. Use of the EMSK is reserved.
-
-
eapPropKeyStrength64
-
-
0x00000040
-
The minimum key length supported by the EAP method is 64 bits.
-
-
eapPropKeyStrength128
-
-
0x00000080
-
The minimum key length supported by the EAP method is 128 bits.
-
-
eapPropKeyStrength256
-
-
0x00000100
-
The minimum key length supported by the EAP method is 256 bits.
-
-
eapPropKeyStrength512
-
-
0x00000200
-
The minimum key length supported by the EAP method is 512 bits.
-
-
eapPropKeyStrength1024
-
-
0x00000400
-
The minimum key length supported by the EAP method is 1024 bits.
-
-
eapPropDictionaryAttackResistance
-
-
0x00000800
-
The method does not allow an offline attack that has a work factor based on the number of passwords in an attacker's dictionary. Where password authentication is used, passwords are commonly selected from a small set (as compared to a set of N-bit keys), which raises a concern about dictionary attacks. A method may be said to provide protection against dictionary attacks if, when it uses a password as a secret, the method does not allow an offline attack that has a work factor based on the number of passwords in an attacker's dictionary.
-
-
eapPropFastReconnect
-
-
0x00001000
-
The method has the ability, in the case where a security association has been previously established, to create a new or refreshed security association more efficiently or in a smaller number of round-trips.
-
-
eapPropCryptoBinding
-
-
0x00002000
-
The method demonstrates to the EAP server that a single entity has acted as the EAP peer for all methods executed within a tunnel method. Binding may also imply that the EAP server demonstrates to the peer that a single entity has acted as the EAP server for all methods executed within a tunnel method. If executed correctly, binding serves to mitigate man-in-the-middle vulnerabilities.
-
-
eapPropSessionIndependence
-
-
0x00004000
-
The method demonstrates that passive attacks (such as capture of the EAP conversation) or active attacks (including compromise of the MSK or EMSK) do not compromise subsequent or prior MSKs or EMSKs.
-
-
eapPropFragmentation
-
-
0x00008000
-
The method can support fragmentation and reassembly if EAP packets exceed the minimum MTU (maximum transmission unit) of 1020 octets.
-
-
eapPropChannelBinding
-
-
0x00010000
-
The method can communicate integrity-protected channel properties, such as endpoint identifiers, which can be compared to values communicated using out of band mechanisms - such as an Authentication, Authorization, and Accounting (AAA) or the lower layer protocol.
-
-
eapPropNap
-
-
0x00020000
-
The method supports Network Access Protection (NAP).
-
-
eapPropStandalone
-
-
0x00040000
-
The method can be used on a standalone machine.
-
-
eapPropMppeEncryption
-
-
0x00080000
-
The method supports Microsoft Point-to-Point Encryption (MPPE) protocol encryption.
-
-
eapPropTunnelMethod
-
-
0x00100000
-
The method supports tunneling of other EAP methods.
-
-
eapPropSupportsConfig
-
-
0x00200000
-
The method supports configurable properties, and has a user interface.
-
-
eapPropCertifiedMethod
-
-
0x00400000
-
The method was certified by the EAP Certification Program. This bit should only be sent by EAP methods that have passed certification.
-
-
eapPropmachineAuth
-
-
0x01000000
-
Windows 7 or later: The method can be used to authenticate a machine on to a network using the machines credentials.
-
-
eapPropUserAuth
-
-
0x02000000
-
Windows 7 or later: The method can be used to authenticate a user on to a network using the users credentials.
-
-
eapPropIdentityPrivacy
-
-
0x04000000
-
Windows 7 or later: The method supports sending the user identity in a protected channel.
-
-
eapPropMethodChaining
-
-
0x08000000
-
Windows 7 or later: The method is a tunnelled method and supports EAP method chaining within the tunnel.
-
-
eapPropSharedStateEquivalence
-
-
0x10000000
-
Windows 7 or later: The method supports shared state equivalence as defined in RFC 4017.
-
-
eapPropReserved
-
-
0x80000000
-
Reserved. Not used.
-
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client |
Windows Vista [desktop apps only] |
| Minimum supported server |
Windows Server 2008 [desktop apps only] |
| Header |
|
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for