locked
EAP-PEAP and EAP-TLS implementation on Windows CE 6.0 RRS feed

  • Question

  • Hi,

    I am trying implement EAP-PEAP in Windows CE 6.0.

    I read following article at MSDN https://msdn.microsoft.com/en-us/library/ee494062%28v=winembedded.60%29.aspx?f=255&MSPPError=-2147217396

    It says that implement RasEapGetIdentity function in separate dll. This function will called bt RAS server only if  RAS_EAP_VALUENAME_INVOKE_NAMEDLG that is in the registry for this EAP is set to 0. I also set RAS_EAP_VALUENAME_INBOKE_PWWDLG to 0.

    Now to pass Identity there is member pszIdentity which takes the user.

    I want to know how to pass the Password.

    Please help.

    Friday, September 23, 2016 4:44 PM

All replies

  • Hi AjayShankar,

    The documentation is pretty clear that if you are not displaying the dialog, you should be retrieving something like biometric data.  See https://msdn.microsoft.com/en-us/library/windows/desktop/aa363514(v=vs.85).aspx.

    ...the EAP vendor may create a related value, RAS_EAP_VALUENAME_INVOKE_PWDDLG, in the registry. If this value is present and is set to zero, the service will not display the standard system password dialog. This value is useful when implementing a biometric method such as a fingerprint scan to authenticate the user. If both the RAS_EAP_VALUENAME_INVOKE_NAMEDLG and RAS_EAP_VALUENAME_INVOKE_PWDDLG values are zero, an identity UI could be used to obtain both the identity and biometric information...

    Therefore, you should already have your own method for providing the password if you are not leveraging the dialog.

    Sincerely,

    IoTGirl

    Friday, September 23, 2016 5:14 PM
  • Thanks for the reply.


    I do not want to leverage Username and password dialog.
    I have created an dll(My.dll). In this dll I have implemented 
    RasEapGetIdentity and RasEapFreeMemory functions.
    I have created a registry setting IdentityPath under 
    LMachine/Comm/Eap/Extension/25. I have set the value of IdentityPath to 
    My.dll.
    When I am trying to connect to radius server, RasEapGetIdentity function is 
    getting called. In RasEapGetIdentity function I am setting Domain/Username to 
    ppwszIdentity.
    Now I want know to how to pass the Password to pwszPassword data member of 
    PPP_EAP_INPUT structure.

    I have read the following

    https://msdn.microsoft.com/en-us/library/ee494062(v=winembedded.60).aspx

    This site says the following
    "The information obtained by RasEapGetIdentity is passed to the 
    authentication protocol during the call to RasEapBegin. The pszIdentity and 

    pUserData members of the PPP_EAP_INPUT structure point to the information."

    One question:

    Is the pUserdata member is used to send Password?

    My registry setting:
    EAPMSCHAPv2Only: DWORD: 1
    FriedlyName:SZ: PEAP
    IdentityPath: SZ: My.dll
    InvokePasswordDialog:DWORD: 0
    InvokeUsernameDialog:DWord: 0
    Path:SZ: eaptls.dll
    ValidateServerCert:DWORD:0

    Friday, September 23, 2016 7:36 PM
  • Thanks for the reply.

    Could you please tell me how to write my own method to provide the password, if I do not want to leverage password dialog?

    Saturday, September 24, 2016 3:57 AM
  • I do not want to leverage Username and password dialog.
    I have created an dll(My.dll). In this dll I have implemented 
    RasEapGetIdentity and RasEapFreeMemory functions.
    I have created a registry setting IdentityPath under 
    LMachine/Comm/Eap/Extension/25. I have set the value of IdentityPath to 
    My.dll.
    When I am trying to connect to radius server, RasEapGetIdentity function is 
    getting called. In RasEapGetIdentity function I am setting Domain/Username to 
    ppwszIdentity.
    Now I want know to how to pass the Password to pwszPassword data member of 
    PPP_EAP_INPUT structure.

    I have read the following

    https://msdn.microsoft.com/en-us/library/ee494062(v=winembedded.60).aspx

    This site says the following
    "The information obtained by RasEapGetIdentity is passed to the 
    authentication protocol during the call to RasEapBegin. The pszIdentity and 

    pUserData members of the PPP_EAP_INPUT structure point to the information."

    One question:

    Is the pUserdata member is used to send Password?

    My registry setting:
    EAPMSCHAPv2Only: DWORD: 1
    FriedlyName:SZ: PEAP
    IdentityPath: SZ: My.dll
    InvokePasswordDialog:DWORD: 0
    InvokeUsernameDialog:DWord: 0
    Path:SZ: eaptls.dll
    ValidateServerCert:DWORD:0
    Saturday, September 24, 2016 3:59 AM
  • Hi, I am trying to create EAP-PEAP Windows CE 6.0.

    I do not want to use Windows username and password Dialog to send username and password.So I have set InvokePasswordDialog and InvokeUsernameDialog registry settings to 0.

    I have implemented a DLL(Xyz.dll) in which I have implemented RasEapGetIdentity and RasEapFreeMemory functions. I have created a registry setting IdentityPath and set it value to Xyz.dll.

    RasEapGetIdentity function has parameter ppwszIdentity. ppwszIdentity takes username(domain/username).

    Now I want to know how pass the password.

    PLEASE HELP.

    Saturday, September 24, 2016 10:38 AM
  • Hi IoTGirl,

    Could you please help me? 

    Regards,

    AjayShankar

    Monday, September 26, 2016 9:37 AM
  • Hi AjayShankar,

    My assumption is you will have to replace what the dialog is doing with your own secure solution. I have not done this but hopefully you will be able to look into how the password dialog works and maybe how biometric drivers present a "password" to get your answer.

    Sincerely,

    IoTGirl

    Monday, September 26, 2016 4:29 PM
  • Hi IToGirl,

    Thanks for reply.

    As you said I have replace what Dialog is doing in my code, which is what I want to do. But I do not have a code of Dialog how it is passing the Password to RAS sever.

    If you have that code please share with me. MSDN do not give enough information on PEAP implementation.

    If you can tell me that password can passed from RasEapGetIdentity or not.

    There is a structure PPP_EAP_INPUT which  has member pwszPassword.The pwszIdentity and pwszPassword member of PPP _EAP_INPUT structure are used by RasEapBegin function to obtain user identity.

    How to fill pwszPassword?

    The information obtained by RasEapGetIdentity is passed to the authentication protocol during the call to RasEapBegin. The pszIdentity and pUserData members of the PPP_EAP_INPUT structure point to the information.

    Do we have to pass the Password in pUserData parameter?

    Any hint will be helpful?

    Regards,

    Ajay


    • Edited by AjayShankar Tuesday, September 27, 2016 4:43 PM
    Tuesday, September 27, 2016 4:40 PM
  • Hi Ajay,

    Again, I have not done this myself but I would assume it is the same as crypto. There is a similar thread that might help at https://social.msdn.microsoft.com/Forums/en-US/9ce5871d-9c29-483b-804a-1f9add2faa8b/c-cryptprotectdata-exchange-mapi-profile-how-to-set-variables?forum=exchangesvrdevelopment.

    My understanding is main purpose of the complexity of the call is to never expose an unencrypted password.

    Sincerely,

    IoTGirl


    Tuesday, September 27, 2016 5:12 PM