Partager via


3.1.1 Abstract Data Model

This section describes a conceptual model that an implementation can maintain to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This document does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this document.

The PEAP peer and server participating in this protocol maintain the following data.

isFastReconnectAllowed: A Boolean flag indicating whether fast reconnect is allowed (TRUE) for the session or not (FALSE).

isSoHEnabled: A Boolean flag indicating whether SoH is enabled (TRUE) or not (FALSE). This is a configurable field on both peer and server.

isCryptoSupported: A Boolean flag indicating whether the implementation supports Cryptobinding TLVs (section 2.2.8.1.1) (TRUE) or not (FALSE). If the implementation does not support Cryptobinding TLV, then it neither validates (if any are received) nor sends a Cryptobinding TLV.<3>

isCryptoRequired: A Boolean flag indicating whether the implementation requires Cryptobinding TLVs to be exchanged for the final authentication to be successful (TRUE) or not (FALSE). This is a configurable field on both peer and server.

InnerEapType: A 4-byte unsigned integer that indicates the Extensible Authentication Protocol (EAP) type ([RFC3748] section 5) of the PEAP inner EAP method.

BypassCapNegotiation: A Boolean flag indicating whether the machine is configured to exchange Capabilities Negotiation Method (section 2.2.8.3) packets (TRUE) or not (FALSE).<4>

AssumePhase2Frag: A Boolean flag which indicates whether the counterpart (at the remote end) supports fragmentation and reassembly of the PEAP inner method packets (TRUE) or not (FALSE). This value is meaningful only when BypassCapNegotiation is set to TRUE.<5>

isCapabilitiesSupported: A Boolean flag indicating whether the implementation supports Capabilities Negotiation Method (section 2.2.8.3) packets for the session (TRUE) or not (FALSE).<6>

isFragmentationAllowed: A Boolean flag indicating whether fragmentation and reassembly of the PEAP inner method packets is supported for the session by both peer and server (TRUE) or not (FALSE).<7>

MaxSendPacketSize: An integer indicating the maximum EAP packet size. These values are obtained as specified in sections 3.2.3 and 3.3.3.

TunnelKey: The PEAP Tunnel Key (TK) is a 60-octet key generated as specified in section 3.1.5.5.2.1. This variable is used while generating Cryptobinding TLVs (section 3.1.5.5) and, if using cryptobinding, the final MPPE keys (section 3.1.5.7).

InnerMPPESendKey: A variable-length string returned by the inner EAP method when the inner EAP authentication is successful. This variable is used while generating InnerSessionKey (ISK) as specified in section 3.1.5.5.2.2.

InnerMPPESendKeyLength: Specifies the length of InnerMPPESendKey in octets.

InnerMPPERecvKey: A variable-length string returned by inner method when the inner EAP authentication is successful. This variable is used while generating ISK as specified in section 3.1.5.5.2.2.

InnerMPPERecvKeyLength: Specifies the length of InnerMPPERecvKey in octets.

InnerSessionKey (ISK): ISK is a 32-octet string generated from keys provided by the inner method. This variable is used while generating Cryptobinding TLVs, as specified in section 3.1.5.5.

CtxtHandle: A 128-bit context handle obtained, as specified in sections 3.2.7.1 and 3.3.7.1, when the phase 1 tunnel is established. This handle is used in encryption and decryption of messages during phase 2 of PEAP.

InnerIdentity: An LPWSTR string (as specified in [MS-DTYP] section 2.2.36) for storing the identity exchanged as part of inner EAP method authentication.