graham_rowbottom

On building UIs for EAP dlls.

Using the microsoft 802.1x client on win2k and winXp, a "select your
cert or other id" sys-tray balloon is launched when the client
receives an EAP Identity Request from the NAS.

this is the system EAPOL log for that moment with my eap dll:

[1300] 11:15:01: ElGetIdentity: Userlogged, <Maxauth, Prev !Machine
auth: !MD5
[1300] 11:15:01: ElGetUserIdentity entered
[1300] 11:15:01: ElGetEapKeyFromToken: RegOpenKeyEx succeeded
[1300] 11:15:01: ElGetEapUserInfo: Error in RegOpenKeyEx for base key,
2
[1300] 11:15:01: ElGetUserIdentityOptimized: Error in calling
GetIdentity = 703
....
[1300] 11:15:01: WZCNetmanShowBalloon: Entered
[1300] 11:15:01: WZCNetmanShowBalloon: CoCreateInstance succeeded
[1300] 11:15:01: WZCNetmanShowBalloon completed


Is there a way to control the text in this balloon (like MD5 does,
presumably in ElGetUserNamePassword below)


[1300] 11:27:06: ElGetIdentity: Userlogged, <Maxauth, Prev !Machine
auth: MD5
[1300] 11:27:06: ElGetUserNamePassword entered
[1300] 11:27:06: WZCNetmanShowBalloon: Entered
[1300] 11:27:06: WZCNetmanShowBalloon: CoCreateInstance succeeded
[1300] 11:27:06: WZCNetmanShowBalloon completed


or better still to avoid it (like PEAP-MSCHAPv2 does which uses
ElGetUserIdentityOptimized successfully):


[2000] 12:48:44: ElGetIdentity: Userlogged, <Maxauth, Prev !Machine
auth: !MD5
[2000] 12:48:44: ElGetUserIdentity entered
[2000] 12:48:44: ElGetEapKeyFromToken: RegOpenKeyEx succeeded
[2000] 12:48:44: ElGetEapUserInfo: Error in RegOpenKeyEx for base key,
2
[2000] 12:48:44: ElGetUserIdentityOptimized: Got identity =
IPGLAB\dot1x
[2000] 12:48:44: ElGetUserIdentity: ElGetUserIdentityOptimized got
identity without user module intervention


Is GetUserIdentityOptimized something I can have influence on? Why do
I get error 703?

Any insights or similar experiences welcomed.

regards
graham

xuemei bao

you should double click the balloon and see if an identity UI will be popped
up.

This is an expected behavior. 802.1x is ran inside wzcsvc service, which is
in a non-interactive mode, i.e. an UI can not be invoked by that service. So
802.1x RPCed into explorer.exe to invoke the indentity UI. Error 703 means
the RasGetIdentity required an interactive mode but the current process was
in a non-interactive mode.

--
This post is provided AS IS with no warranties, and confer no rights

graham_rowbottom

I don't want our users to have to type or click anything to express
their identity.

Is it possible to create an EAP dll that causes wzcsvc to skip the
pop-up balloon or than can control the text within it? (As PEAP and
MD5 seem to)

mudit goel [msft]

Hi Graham -

The reason you dont see a popup in case of PEAP-MSChapV2 is because MsChapV2
either uses winlogon credentials (if enabled - an option in mschapv2
configuration), or caches the user credentials (for subsequent requests -
the user will get prompted the first time for his/her credentials.).

As long as the your eap dll provides an identity and credentials without
having to prompt the user, you should be fine.

Thanks,
Mudit
--
__________________________________________________ ________
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________________________ ________

news:<40102977$1@news.microsoft.com>...