3.2.1 Abstract Data Model

This section describes a model of possible data organization that a client-side implementation maintains to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This specification does not mandate that an implementation adhere to this model as long as the external behavior of the implementation is consistent with what is described in this specification.

The PEAP peer participating in this protocol maintains the following data.

isFastReconnectConfigured: A Boolean flag indicating whether fast reconnect is configured to be allowed (TRUE) or not allowed (FALSE) for the session.

isIdPrivacyEnabled: A Boolean flag indicating whether Identity Privacy feature is enabled (TRUE) or not (FALSE) for the session.<9>

IdentityPrivacyString: A NULL terminated Unicode string indicating the identity to be used in the outer EAP-Identity response packet.<10>

isValidateServerCertEnabled: A Boolean flag indicating whether a server certificate will be validated for the session. . A value of TRUE means the certificate will be validated.  A value of FALSE means the certificate will not be validated.

ServerNames: An array of NULL terminated Unicode strings indicating the names of authenticating servers that the client configured to authenticate to.

isValidateServerNameEnabled: A Boolean flag indicating whether the subject name of the server certificate should (TRUE) or should not (FALSE) be validated against the configured ServerNames for the session.

isPromptForValidationDisabled: A Boolean flag indicating whether a user can (TRUE) or cannot (FALSE) be prompted to override the validation failures on the server certificate.

TrustedCertHashInfoList: An array of 20-byte SHA1 hash ([RFC3174]) specifying the subset of certificates from a trust root that needs to be used by the peer to validate the trust anchor (section 6 of [RFC5280]) of the server certificate obtained during the Phase 1 TLS Tunnel establishment.

The [MS-GPWL] specifies a mechanism to initialize the EAP methods with method-specific settings. It specifies the settings for PEAP in BLOB format (section 2.2.3.1) and in schema format (section 2.2.3.1.2). The following table specifies the elements in the BLOB and xml schema, and it specifies the corresponding abstract data model variable that gets initialized.

Abstract Data Model (ADM) element

BLOB element from [MS-GPWL]

Schema element from [MS-GPWL]

isSoHEnabled

PeapEnableQuarantine (2.2.3.1.2)

EnableQuarantineChecks (2.2.3.2.6)

isCryptoRequired

PeapEnforceCryptoBinding (2.2.3.1.2)

RequireCryptoBinding (2.2.3.2.6)

isFastReconnectConfigured

PeapFastRoaming (2.2.3.1.2)

FastReconnect (2.2.3.2.6)

InnerEapType

InnerEapType (2.2.3.1.2.2)

baseEap:Eap (2.2.3.2.4)

isIdPrivacyEnabled

PeapEnableIdentityPrivacy (2.2.3.1.2)

EnableIdentityPrivacy (2.2.3.2.6)

IdentityPrivacyString

IdentityPrivacyString (2.2.3.1.2)

AnonymousUserName (2.2.3.2.6)

isValidateServerCertEnabled

PeapTlsPhase1NoValidateServerCert (2.2.3.1.2.1)

PerformServerValidation (2.2.3.2.5)

isValidateServerNameEnabled

PeapTlsPhase1NoValidateName (2.2.3.1.2.1)

AcceptServerName (2.2.3.2.5)

isPromptForValidationDisabled

PeapTlsPhase1DisablePromptValidation (2.2.3.1.2.1)

DisableUserPromptForServerValidation (2.2.3.2.8)

ServerNames

ServerName (2.2.3.1.2.1)

ServerNames (2.2.3.2.8)

TrustedCertHashInfoList

TrustedCertHashInfoList (2.2.3.1.2.1)NumberOfCAs (2.2.3.1.2.1) field indicates the number of elements in the TrustedCertHashInfoList ADM element.

TrustedRootCA (2.2.3.2.8)Number of <TrustedRootCA> elements (2.2.3.2.8) indicates the number of elements in the TrustedCertHashInfoList ADM element.

The client maintains the current state of the authentication in an integer variable called currentState. The currentState variable is initialized when the client starts the PEAP authentication and remains valid till the authentication is done. At any point in time, the currentState variable can have the following integer values, each one representing the current state of the client machine.

  • PEAP_BEGIN

  • PEAP_PHASE1_INPROGRESS

  • TUNNEL ESTABLISHED

  • PHASE2_EAP_INPROGRESS

  • INNER_IDENTITY_SENT

  • SUCCESS_TLV_SENT

  • FAILURE_TLV_SENT

  • PEAP_SUCCESS

  • PEAP_FAILED

PEAP Peer State Machine

Figure 4: PEAP Peer State Machine