The following topic provides answers to commonly-asked questions about the EAPHost APIs.
What is a supplicant?
The supplicant is the entity to be authenticated using EAPHost. Typical supplicants are 802.1X clients, 802.3 clients, and Routing and Remote Access Service (RRAS), Point-to-Point (PPP) clients.
What is a peer?
The peer is the client side of an EAP authentication.
How does a peer differ from a supplicant?
The supplicant transports packets, whereas a peer does not. Nonetheless, the terms peer, supplicant and client are largely synonymous.
What is an authenticator?
The authenticator is the wireless access point, network access server (NAS), or network access device (NAD) that authenticates the supplicant. The authenticator is also known as the EAP server.
What is the lifetime of an authentication?
The lifetime of a single authentication session on the client side is everything that occurs between the EapHostPeerBeginSession and EapHostPeerEndSession functions being called. The lifetime on the authenticator side is everything that occurs between the EapPeerBeginSession and EapPeerEndSession functions.
What is a BLOB? Why would I convert a configuration (binary) BLOB to XML?
A BLOB is a binary large object. XML has several advantages over a binary configuration BLOB. Configuration data that is stored in XML is human-readable, human-editable, and cross-platform.
When do I convert a stored XML BLOB back to a binary BLOB?
It's possible to store a binary BLOB or XML BLOB, but you must always convert the XML BLOB back to a binary BLOB before use with run-time APIs; the run-time APIs cannot accept an XML directory.
What are native methods?
Native EAP methods use the new EAPHost API.
What are legacy methods?
Legacy EAP methods are defined in the Extensible Authentication Protocol Reference. The legacy EAP methods are available for use in Windows Vista and Windows Server 2008. These methods may not be available for use in subsequent versions of the operating system.
What's the difference between legacy and native methods?
The native APIs are simpler and have fewer features. All new EAP methods should be written using the EAPHost API.
What is "group policy"?
For a description of group policy, see Group Policy Collection.
Can EAPHost functions override configuration policy specified by group policy?
No, never. If group policy is in use, group policy settings will always override EAPHost configuration settings.
What is Single-Sign-On (SSO)?
802.1X is a layer 2 authentication mechanism. Depending on the SSO configuration, SSO enables users to authenticate to the network using 802.1X authentication before or immediately after logging on to Windows. SSO can be configured to use Windows credentials for network authentication (in which case users enter their credentials only once) or use different credentials for Windows and network authentication. For more information, see SSO and PLAP.
What is Pre-Logon Access Provider (PLAP)
For more information, see SSO and PLAP.
What is Protected Extensible Authentication Protocol (PEAP)?
For more information, see PEAP and About Extensible Authentication Protocol.
How does PEAP deal with session resumption and re-authentication?
Session resumption and re-authentication typically occurs while roaming on a wireless network. Windows Data Protection API (DPAPI) provides a way to protect and bind data to a user and optionally the logon session. The caller gives CryptProtectMemory an unencrypted buffer and DPAPI will encrypt the memory in place. Later, the caller can pass in the encrypted buffer to CryptUnprotectMemory and DPAPI will decrypt the memory, once again in place. For more information, see TLS Inner Application Extension (TSL/IA) and PEAP.
What is EAP-Transport Level Security (EAP-TLS)?
EAP-TLS is a client-server protocol in which distinct certificate profiles are typically used for the client and server.For more information, see IETF RTC 2716.
How do I implement a password change using the Local Security Authority (LSA) API?
Use the LsaCallAuthenticationPackage function to implement a password change.
Why would I want to enable tracing in EAPHost?
The trace logs contain debugging information (available in English only) that may assist Microsoft developers and partners in finding the root causes of any issues being experienced with the authentication process. For more information, see Enabling Tracing.
Why do I encounter the error code, NTE_BAD_KEY_STATE (0x8009000BL) when I use the Cryptography API to sign into the EAP-TLS exchange?
In Winerror.h NTE_BAD_KEY_STATE (0x8009000BL) is defined as a "key not valid for use in specified state". This error is typically returned in the following scenarios.
- When attempting to export a non-exportable private key BLOB
- When unsuccessfully attempting to generate a pseudo-random function (PRF) hash handle using [CryptCreateHash](/windows/desktop/api/wincrypt/nf-wincrypt-cryptcreatehash)
What is a pseudo-random function (PRF)?
A function that takes a key, label, and seed as input, then produces an output of arbitrary length. For more information, see Finish Messages in the TLS 1.0 Protocol.
How does EAPHost bind to network adapters?
EAPHost allows multiple supplicants to operate simultaneously, and each supplicant can bind to multiple network adapters. EAPHost supplicants provide binding to the network layers and drive the authentication process. Supplicants contain authentication configuration. Supplicants also save the state and provide subsequent connection security. Because EAPHost doesn't directly bind to any network mechanism, supplicant extensibility is possible.