EAPHost in Windows Vista and Longhorn (January 18, 2006)
Chat Topic: EAPHost in Windows Vista and Longhorn
Date: Thursday, January 18, 2007
**Please note:****Portions of this transcript have been edited for clarity.
Christian (Moderator):
Hi again everyone and welcome.
Christian (Moderator):
Today’s Chat topic: EAPHost in Windows Vista and Longhorn
Christian (Moderator):
This web-chat will be focused on explaining role of EAPHost, a Microsoft Windows Networking component introduced in Vista that provides an Extensible Authentication Protocol (EAP) infrastructure for the authentication of "supplicant" protocol implementations such as 802.1X and Point-to-Point (PPP).
Christian (Moderator):
Let's introduce our Experts for today’s chat.
Introductions
Kapil[MSFT] (Moderator):
Welcome every one. This is Kapil from the NPS ( Microsoft's Radius server) Test team.
Chris [MSFT] (Expert):
Hello, my name is Chris, and I am a member of the Network Access Protection team.
Ambrish [MSFT] (Expert):
Welcome everyone, this is Ambrish From EAP team at MSFT.
Sam Salhi [MSFT] (Expert):
Hi All, I'm Sam Salhi, and I'm a member of the EAP team in the Enterprise networking group
Greg Lindsay [MSFT] (Expert):
Hi I am Greg Lindsay, a technical writer for NAP
Christian (Moderator):
Please feel free to begin asking your questions and remember to check the “ask the experts” box before sending. Thanks.
Start of Chat
Sam Salhi [MSFT] (Expert):
Q: What EAP methods do you guys support?
A: Vista supports multiple EAP types. EAP-TLS, PEAP-EAP-MSCHAPv2 and PEAP-EAP-TLS. Other vendors can create their own EAP TLS methods that could be used to support other methods.
Kapil[MSFT] (Moderator):
Q: has anyone to your knowledge been able to create a LEAP peer method using the EAPHost API?
A: Yes several parties have succeded
Chris [MSFT] (Expert):
Q: Is there a mechanism to export EAP generated pairwise master keys (PMKs) from EAP host?
A: No, there is not.
Ambrish [MSFT] (Expert):
Q: Can you explain the pAttributeArray in EapPeerBeginSession? We never see any attributes.
A: These are EAP attributes passed in by supplicant for EAP methods, so if supplicant does not provide any then you will not see
Sam Salhi [MSFT] (Expert):
Q: Also, at any time during the negotiation, is it possible for the EAPhost plugin to determine the interface on which the authentication is happening?
A: The EAP methods are agnostic to the interface or the SSID. It has no knowledge of that information. it's the supplicant's job to identify and react based on these
Sam Salhi [MSFT] (Expert):
Q: When the EAP method is processing an EAP authentication, how do we find what SSID is being used? How can we find out what adapter the data is coming through?
A: The EAP methods are agnostic to the interface or the SSID. It has no knowledge of that information. it's the supplicant's job to identify and react based on these
Ambrish [MSFT] (Expert):
Q: Is there a sample for providing the Username and Password to MSFT's implementation of MSCHAPv2?
A: this may be able to answer your question: https://msdn2.microsoft.com/en-gb/library/ms697873.aspx
Sam Salhi [MSFT] (Expert):
Q: Does the EAP-Host / supplicant allow binding to multiple adaptors (wired / wireless) simulataneously? How / when is this binding done?
A: EAPHOST doesn't bind to any specific adapter. The service will talk to the supplicant. The Microsoft supplicant will handles multiple adapters at the simultaneously. And EAPHOST can handle multiple authentications simultaneously as well. Does this answer your question or would you like to add any follow up?
Chris [MSFT] (Expert):
Q: I can't fine EAP-MD5 under Vista, is there a reason for that?
A: Please see the following: https://support.microsoft.com/kb/922574/en-us
Ambrish [MSFT] (Expert):
Q: Is their a way to allow users to share the configuration set by an EAP client method?
A: It can, method specific config data is same save as part of connection profile.
Sam Salhi [MSFT] (Expert):
Q: I don't understand your answer to Q6 - Microsoft supplies the supplicant in the case of 802.11. But a user may be logging into one of several networks. The EAP method UI should provide a hint which one in case the networks have different passwords.
A: It's actually the Supplicant UI that handles that. So you see multiple networks. You connect to one, and each will have a different profile stored specifically for it. All of this is handled by the supplicant who only passes Authentication requests to EAPHOST
Ambrish [MSFT] (Expert):
Q: Does the EAPHOST design more geared towards wireless authentication environment or can it be used fro wired environemnt as well?
A: it is desinged to serve both wired and wireless supplicants in same way.
Shashwat [MSFT] (Expert):
Q: the TTLS eap method I developed is based on the fact that the configuration is saved in the HKEY_LOCAL software registry key. This is however not possible as the virtualization feature in Vista prevents this from happening.
A: User specific settings should be stored in HKCU and method specific settings should go in methods registry key.
Shashwat [MSFT] (Expert):
Q: Hello. I'm working on an EAPhost plugin that implements TTLS. If I understand correctly, the supplicant is expecting us to return MSK info through an eatEMSK attribute. At what point in the negotiation can that be returned?
A: When EapPeerGetResult is called then this attribute should be returned.
Kapil[MSFT] (Moderator):
Q: Do you plan to add an interface to export EAP generated PMKs from EAP-Host? This would allow extensibility for building additional protocols above 802.1X/EAP.
A: Is your questions about methods supporting export or merely EAPHost providing an export facility for keying material from the methods?
Ambrish [MSFT] (Expert):
Q: Q15 follow-up: Does MS supplicant support binding to wired adaptors or only wireless? Can you please point to an article which describes this?
A: We provide EAPHost which can be used by any supplicant wireless/wired, in vista both of them use eaphost
Sam Salhi [MSFT] (Expert):
Q: Q15 follow-up: Does MS supplicant support binding to wired adaptors or only wireless? Can you please point to an article which describes this?
A: EAP can be used for both wired and wireless adapters.
Kapil[MSFT] (Moderator):
Q: What can we expect in way of changes in the SP1 timeframe?
A: Changes to EAP methods, EAPHost? Can you be more specific?
Kapil[MSFT] (Moderator):
Q: Ambrish, sorry, wrong question, I require the EAP Client method to have a general configuration as wel as user specific. In Windows 2K/XP I achieved this by saving the general information to the HKEY_LOCAL registry file but this is not possible in Vista
A: Hi (question answered privately)
Shashwat [MSFT] (Expert):
Q: There are seems to be at least three ways to indicate authentication failure from PeerGetResult - through EapError passed as a parameter, through pEapError in EapPeerMethodResult structure and by returning error code. Which one is recommended?
A: If it is an authentication failure (means that the auth completes normally but the decision of the auth is a failure), use the out parameter EapPeerMethodResult.
Kapil[MSFT] (Moderator):
What is the configuration that is being stored? (Specifically)
Ambrish [MSFT] (Expert):
Q: Is there a way to install an EAP peer method that does not appear in the "Choose a network authentication method:" combo box on the "Wireless Network properties"? I only want to have my peer method configured with my client app.
A: they should come as installable, once it is installed properly, in which it should also configure proper registry keys and then it will show up
Christian (Moderator):
Just a Reminder- remember to check the “ask the experts” box before sending. Thanks!
Kapil[MSFT] (Moderator):
Q: Q22: What changes can we expect in SP1 w.r.t. EapHost peer methods and perhaps L2NA and cred providers?
A: Some like changes are additional single-signon support (ie change credentials), expanded vendor method support (ie., UI reflects vendor method name, etc), expanded method support (type 254), something other changes as well
Ambrish [MSFT] (Expert):
Q: Follow-up to question 3. I have attempted to return the attribute in EapPeerGetResult(), to no avail. Do you have a sample as to how the structure should be filled in? Filling in the EapPeerMethodResult didn't seem to work (and, leaked the memory)
A: Please refer to msdn documentation for this, https://msdn2.microsoft.com/en-gb/library/aa364249.aspx please let me know if u still see issues
Ambrish [MSFT] (Expert):
Q: Do you have any recommendations about implementing session resumption? The EAPHost plugin gets unloaded after authentication completes. What was intended as far as where state information be stored?
A: for session resumption state is stored as updated config blob with supplicant and on next authentication this can be used.
Chris [MSFT] (Expert):
Rob - which list are you referring to?
Kapil[MSFT] (Moderator):
Q: What is your CE strategy for EapHost peer?
A: Hi - The CE team is considering support for EAPHost. Please contact tonyle@microsoft.com or edvir@microsoft.com if you are interested in such support.
Sam Salhi [MSFT] (Expert):
Q: is it possible for me to use a 3rd party certificate with EAP server? Can I use wildcard certificates?
A: It's possible to use 3rd party certificates. Provided that they are valid and have few other restrictions (validity, expiration, chaining to a proper root...etc)
Sam Salhi [MSFT] (Expert):
Q: is it possible for me to use a 3rd party certificate with EAP server? Can I use wildcard certificates?
A: However, Wildcard certificates are not allowed
Kapil[MSFT] (Moderator):
Q: How can I turn off the NAtive EAPHOST support and run my own 802.1x supplicant like asinghai claims to do?
A: Hi - If you wanted to use your own supplicant, you can do this side-by-side with EAPHost running or not. Alternately, your supplicant may use EAPHost and methods (ie., your supplicant could use the EAP support build-in to EAPHost). Does that answer your question?
Christian (Moderator):
Just a heads-up on time here, we’re now about halfway through today’s chat. Thanks.
Chris [MSFT] (Expert):
Q: Q[27] I don't want my EAP peer method in to show up in the list. Is there a way I can do this?
A: There is currently no way to do this; EAPHost will always return all of the methods installed, and it is up to the Supplicant to decide which methods to display.
Chris [MSFT] (Expert):
Q: "Choose a network authentication method:" combo box on the "Wireless Network properties"
A: There is currently no way to do this; EAPHost will always return all of the methods installed, and it is up to the Supplicant to decide which methods to display.
Kapil[MSFT] (Moderator):
Q: About 35 - No. Can you point me at docs on how to run side-by-side? We were told the Microsoft supplicant gets all wireless data.
A: Ah - That's a slightly different question. EAPHost can run in parallel to any supplicant (and frequently runs in conjunction with various supplicants). I'm not sure about turning off the 1x supplicant itself.
Wei Zheng [MSFT] (Expert):
Q: Q10 follow-up: Ability to get PMK from EAP-Host embedded EAP methods by external app. So, looking for EAP-Host to provide an interface to export PMK generated by whatever EAP method is being executed within EAP-Host.
A: no plan to support this. Once the authentication session is done, the session state is removed from EapHost, so EapHost won't be able to return any information at that time.
Kapil[MSFT] (Moderator):
Q: Hi Kapil, the configuration is basically a TTLS security profile (username, verify TTLS serverceritifcate, use TTLS session resumption). This profile can be applied to multiple SSIDs. This is not supported by EAPHost as this is SSID/Adapter config.
A: It seems like this information would be stored with TTLS as part of the EAP-TTLS EAP configuration blob. In the EAPHost model, supplicants store EAP configuration in conjunction with the SSID. Does that make sense?
Ambrish [MSFT] (Expert):
Q: when I turn off the NAtive EAPHOST support and run my own 802.1x supplicant, is tehre a way to turn it off only for wired or wireless adapters?
A: unfortunately this level of granularity for EAPHost support is not provided.
Sam Salhi [MSFT] (Expert):
Q: Is the source for MSFT's implementation of PEAP available?
A: No it's not, however sample EAP methods are provided on MSDN if you need them
Wei Zheng [MSFT] (Expert):
Q: Why EapHostPeerBeginSession call from EapPeerInvokeIdentityUI of another (outer) method fails with “access denied”? Is it allowed at all?
A: Looks like you are trying to start the authentication from within the UI process, which does not make sense. The BeginSession() API can only be called for authentication runtime and not in the UI process. it can be called by outer method if it is the authentication runtime
Ambrish [MSFT] (Expert):
Q: Is the source for MSFT's implementation of PEAP available?
A: sorry, MSFT PEAP is not open source, though it will be useful to understand your requirements. thx
Chris [MSFT] (Expert):
Q: Are there any details on Validation/Certification that will be conducted for 3rd party EAP-methods (EAP-FAST, EoU) that will ship as part of Windows update? ...clicked "ask the experts" this time
A: Please contact edvir@microsoft.com for information on ECP.
Ambrish [MSFT] (Expert):
Q: is there a link which explains how to use the EAPHOST support for wired adapters?
A: EAPHost supplicant APIs are same for wired as well as wireless adapters.
Chris [MSFT] (Expert):
Q: What is the status of ECP (Eap Cert Program)?
A: Please contact edvir@microsoft.com for information on ECP.
Kapil[MSFT] (Moderator):
Q: Follow-up to Q25: will sso enhancements be limited to L2NA or will there be a way for peers to retrieve creds within the peer method after the user session is up?
A: No, the credentials will not be available to other components.
Wei Zheng [MSFT] (Expert):
Q: Are there any plans to provide better control over when 1x supplicant clears the user blob on authentication failure (peer)?
A: I think you should just clear the user blob whenever there is an auth failure. Does this answer your question?
Ambrish [MSFT] (Expert):
Q: follow on to 43... it is always easier to build something when you can see a real life example of a similar implementation. I think PEAP is similar to EAP-TTLS whcih we may have to support
A: I will leave it for your descretion.
Wei Zheng [MSFT] (Expert):
Q: Follow-up Q33: I does make sense when outer method uses identity from the inner one and the inner is configured to ask user.
A: Yes, I think it makes sense. In general the outer method only establish a secure channel, and it is up to the inner method to provide identity. This is how Microsoft implementation of PEAP works
Savys[MSFT] (Expert):
Q: Is it possible to share configuration data (returned in the config blob) between SSIDS?
A: No
Mudit Goel [MSFT] (Expert):
Q: Q30 follow-up: Are you indicating that all keys (PMKs) generated by an EAP method within EAP-Host will only be available / consumed by the MS supplicant? If I wanted to add another 11i like protocol and leverage EAP-Host to generate a PMK - is this posbl?
A: Ken, currently EAP methods export MSKs (Master Session Keys) in the form of MPPE keys to the supplicants (any supplicant, not just MS supplicants). If the methods want to generate any other keys during authentication, they can provide those keys as vendor specific attributes to the supplicants.
Kapil[MSFT] (Moderator):
Q: Follow-up to Q46: If the session failed for a reason other than an authentication failure (cert lookup for example), how can the supplicant be instructed not to clear the user blob?
A: No, it is not possible to do that. However, MS 802.1x supplicant does not clear credentials in case of timeout failures.
Mudit Goel [MSFT] (Expert):
Q: Q30 follow-up: Are you indicating that all keys (PMKs) generated by an EAP method within EAP-Host will only be available / consumed by the MS supplicant? If I wanted to add another 11i like protocol and leverage EAP-Host to generate a PMK - is this posbl?
A: Ken, currently EAP methods export MSKs in the form of MPPE keys to the supplicants (any supplicant, not just MS supplicants). If the methods want to generate any other keys during authentication, they can provide those keys as vendor specific attributes to the supplicants.
Ambrish [MSFT] (Expert):
Q: It looks like EapHost uses language neutral RegLoadMUIString to get PeerFriendlyName from registry but it is not reflected anywhere in docs. Is that correct?
A: you are right. and thanks for catching it. EAPHost does support it, we will document it and provide you shortly. In short i can explain you need to expose localized name from .mui file and EAPHost will read it from there.
Wei Zheng [MSFT] (Expert):
Q: I'm not a COM expert, but I understand EAPHost is based on COM (Single-threaded-apartment?). Are there any syncrhonization or locking issues with firing off multiple simultaneous authenticaitons into the framework?
A: It is multi-threaded. You can do multiple authentications simultaneously. However, you can NOT do this if the GUIDs are the same. For different GUIDs, you can do multiple auths. Or, if you use GUID_NULL, you can do this, too
Ambrish [MSFT] (Expert):
Q: I'm not a COM expert, but I understand EAPHost is based on COM (Single-threaded-apartment?). Are there any syncrhonization or locking issues with firing off multiple simultaneous authenticaitons into the framework?
A: not that we are aware of, if you have seen any issues please report them we will be glad to look into them.
Chris [MSFT] (Expert):
Q: Folluw-up Q38: What is the purpose of eapPropStandalone property then?
A: This method-specific property is utilized on the authenticator side only; it controls how users/credentials are verified in the method.
Eran[MSFT] (Expert):
Q: follow on to 43... it is always easier to build something when you can see a real life example of a similar implementation. I think PEAP is similar to EAP-TTLS whcih we may have to support
A: you are right, PEAP is very similar to TTLS
Savys[MSFT] (Expert):
Q: Is their support for the so called "Computer Logon" allowing for example wirleess devices to perform a domain logon?
A: Yes. And it is called machine auth we support it for all the ms methods.
Mudit Goel [MSFT] (Expert):
Q: I know that there is a software team which uses its own 4 way handshake along with native supplicant and they are able to export the PMK out of the supplicant, in this chat I heard we cannot export PMK out, can you please explain
A: PMKs are typically generated by supplicants and Authenticators based on MSK (which is generated by the EAP method). So EAP Host would not generate this, but provide the MSKs to the supplicant. If you are wondering if Microsoft's 802.1x supplicant has a way to export the PMK that it might generate, then we would have to put you in touch with the 802.1x team who might be able to answer this better.
Christian (Moderator):
Okay everyone, we have about 5 minutes left for today’s chat. If you have any last minute questions, please submit them asap. Our Experts will answer as many questions as possible in the time remaining. Thanks!
Wei Zheng [MSFT] (Expert):
Q: Follow-up Q49: But against IAS such method will fail because the server requires a real username which is unknow to the outer method at identity request time. Also as i understand MS PEAP is built on the legacy EAP API.
A: Yes Microsoft PEAP is build on legacy API. But that's how it works. When outer method tries to get the user identity, it should ask the inner method for identity. And this step should happen in your EapPeerGetIdentity() implementation, and this is before EapPeerBeginSession() from peer method API's point of view. Does this help?
Ambrish [MSFT] (Expert):
Q: If my EAP peer method does not provide any configuration how do I disable the "Settings..." button on the security tab of the "Wireless Network Properties"?
A: you can disable it from registry for method entry that config ui is not provided, but we strongly require you to provide it if no config data then may be just for help link abt that method etc.
Kapil[MSFT] (Moderator):
For further questions please contact ecp@microsoft.com the chat will conclude shortly
Savys[MSFT] (Expert):
Q: follow-up on Q59. Can a ISV interject a client to connect to wireless prior to loggin onto the domain?
A: No. You would have to connect a machine to a domain provision it and then connect to the domain
Eran[MSFT] (Expert):
Q: Follow-up on Q45: So there is no way to correctly install a method which can only be used as an inner method method (for example EAP-GTC) so the user will not be confused by its appearance in the outer methods list?
A: That's correct but the supplicant can decide which methods to display