Extensible Authentication Protocol (EAP) Test - Peer Method

Note  This content applies to the Windows Logo Kit (WLK). For the latest information using the new Windows Hardware Certification Kit (HCK), see Windows HCK User's Guide on the Windows Hardware Dev Center.

Overview

The Extensible Authentication Protocol (EAP) Test is used by the EAP Certification Program (ECP).

Details

The EAP Test is comprised of testing methods:

  • Peer Method

  • Authenticator Method

  • Network Supplicant

This description applies to the Peer Method.

Requirements

Software Requirements

The test tool runs on the following Windows operating systems:

  • Windows Server 2008 Release 2

  • Windows 7

  • Windows Server 2008

  • Windows Vista

  • Software components included with the device that is being tested.

Hardware Requirements

  • Device to be tested

  • Computer that meets the minimum software requirements

  • Windows keyboard

  • Two-button pointing device

  • Color display monitor capable of at least 1024 by 768 resolution, 32-bits per pixel, 60 Hz

  • Hard drive with a minimum of 20 GB available on partition C:

  • Processor

Running Extensible Authentication Protocol (EAP) Test - Peer Method

For Peer Method:

144.1.1 - EAP Method Submissions MAY include 32-bit X86 binaries

This test verifies submission of 32-bit x86 binary.

Overview

The test performs the following steps:

  • It checks whether submission has X86 binary.

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • The package path cannot be located.

144.1.2 - EAP Method Submissions MUST include 64-bit X64 binaries

This test verifies submission of 64-bit X64 binary.

Overview

The test performs the following steps:

  • It checks whether submission has at least one X64 binary.

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • X64 binary is not present in the package.

144.1.3 - EAP Methods MUST NOT disable or impair the functionality of other system components during their operation.

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

145.1.1 - All ECP EAP Method Submissions will be packaged in an INF.

This test verifies that the submission has packaged INF file.

Overview

The test performs the following steps:

  • Checks for the valid INF file in the package location.

  • Checks for various sections for valid installation of the INF file.

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • INF file is not present in the package location.

  • INF file does not contain the install section.

145.1.2 - ECP EAP Method Submission INF installers MUST allow for installation and uninstall.

This test verifies that submitted INF installers should allow for installation and uninstall.

Overview

The test performs the following steps:

  • Checks that Install section is present in the INF file.

  • Checks that Uninstall section is present in the INF file.

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • INF file does not contain the install section.

  • INF file does not contain the uninstall section.

145.1.3 - ECP Method Submissions MUST NOT require reboot after installation to function properly

This test verifies that installation of method does not require a reboot.

Overview

The test performs the following steps:

  • Uninstall the method if it is already installed.

  • Install the method.

  • Checks for certain registry locations which need to be updated if reboot is need for install.

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Installation process adds the entries to certain registry locations which are necessary for reboot.

145.1.4 - EAP Methods MUST NOT disable or otherwise modify other installed components as part of installation.

This test verifies that installation of method does not modify the registry or file system, other than its own space.

Overview

The test performs the following steps:

  • Uninstall the method if it is already installed.

  • Install the method.

  • Verifies that all the registry updates are done as part of installation under the following key:

    HKLM\System\CurrentControlSet\Services\EapHost\Methods\<Author ID>\<Method Type ID>

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Installation process adds the entries to registry location other than the one specified.

145.1.5 - EAP Methods MUST remove all configuration data and files on removal or uninstall.

This test verifies that uninstall should remove all the configuration data.

Overview

The test performs the following steps:

  • Get the list of all the files copied during installation

  • Check if all these files have been removed.

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • If there is a mismatch between the files copied during installation and files removed during uninstall.

145.1.6 - Removal of an EAP method must be performed through device uninstall using the device manager.

This test verifies that uninstall should be done with the help of device manager.

Overview

The test performs the following steps:

  • Uninstalls the package.

  • Check for the absence of registry entries.

  • Install the package.

  • Check for the presence of registry entries.

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Uninstall/installation of the package is unsuccessful.

  • Registry entries are present after uninstall.

  • Registry entries are absent after install.

146.1.1 - EAP Peer Methods will successfully complete one hour of end-to-end authentications. There should not be any observable resource leaks.

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

146.1.2 - EAP Peer Methods will successfully survive 100,000 cycles of loading and unloading the method DLL without error. There should not be any observable resource leaks.

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

146.1.3 - All implemented EAP method APIs will successfully survive one hour of comprehensive API fuzz testing without error. There should not be any observable resource leaks.

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

146.1.4 - EAP Peer Methods will successfully survive end-to-end negative authentication stress for a period of one hour

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

Troubleshooting tips

Update the USER.XML only with a bad password. Everything else needs to remain valid for this test to complete successfully.

147.1.1 - If the method is a password or smart card based test case, it should not write password or pin in traces or event logs (Manual).

This is a manual sign off item. This test verifies that EAP method does not write password information in the trace logs. This test case needs user interaction in DTM client side.

Overview

The test performs the following steps:

  • Checks the status of the trace file/event.

  • Runs the Authentication session with the method.

  • Ensure that method has written to trace logs/event channel.

  • Verify that the password is not present in the trace logs/events.

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • As part of authentication method writes password information into the trace logs.

User Interactions

User has to do the following tasks for Plain (.log).

  • In the DTM studio, select the log type as "Plain (.log)" and enter "Trace File Path". Schedule the job. At the DTM client, the following interactions are needed:

  • Enable the method specific trace (which will be written to C:\windows\tracing) and then press Ok.

  • An authentication session will be run as part of the test case.

  • Disable the method trace and then press Ok.

  • The trace file will be displayed in notepad.

  • Verify whether the trace has password information

  • Enter the appropriate choice (Yes/No) in the dialog box that follows.

  • End of the test case.

User has to do the following tasks for Windows Event log.

  • Make sure Event is registered. This can be verified using Windows Event Viewer.

  • In the DTM Studio select log type as "Windows Event" and enter "Channel\Provider Name". Schedule the job, and then at the DTM client the following interactions are needed.

  • An authentication session will be run as part of the test case.

  • If event is detected, then the following dialog is displayed: "Events detected, please open Event Viewer, verify events and answer the below question. Is there password info in the Events?"

  • Verify whether the events contain password information or not.

  • Enter the appropriate choice (Yes/No) in the dialog box.

  • End of the test case.

148.1.1 - All data for a given EAP method will be located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EAPHost\Methods; entirely contained within the EAP Method's own private EAP Method registry sub-key.

This test verifies that installation of method does not modify the registry, other than its allocated space.

Overview

The test performs the following steps:

  • Uninstall the method if it is already installed.

  • Install the method.

  • Verifies that all the registry updates are done as part of installation under the following key:

    HKLM\System\CurrentControlSet\Services\EapHost\Methods\<Author ID\< Method Type ID>

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • Installation process adds the entries to registry location other than the one specified.

148.1.2 - All Vendors who submit methods to the ECP will acquire a valid Enterprise-ID from IANA (Manual).

This test verifies that registry should have the enterprise id at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EAPHost\Methods\<Vendor IANA ID>

Overview

The test performs the following steps:

  • Validate if the enterprise-id is in the acceptable range.

  • If it's an expanded EAP type, then check if Vendor id is inacceptable range or not.

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • If there is enterprise id /vendor id is in inacceptable range.

148.1.3 - The Vendor Registry Key under which all vendor method configuration data is stored will contain a string value that identifies the vendor name corresponding to the vendor's enterprise-id.

This test verifies that registry should have the enterprise id at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EAPHost\Methods\<<Vendor IANA ID>>

And the registry location has a default string value or a value "Name" which specifies the Vendor name

Overview

The test performs the following steps:

  • Check if the name present at this registry location matches with the Vendor Name corresponding to the vendor's enterprise id.

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • If there is a mismatch in names.

148.1.4 - All files that are added to the system by the installation package (INF) are to be physically located under the Windows Program Files directory in a private sub-directory that reasonably reflects the nature of the ECP submission.

This test verifies that files added by package should be only under Program files.

Overview

The test performs the following steps:

  • Check the install section of INF file. All the files added should be located one folder under Program Files.

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • If install section tries to copy file at some other location.

148.1.5 - EAP Methods MUST add their default registry keys using regsvr32 facility

This test verifies that method should be installed using regsvr32.exe

Overview

The test performs the following steps:

  • Uninstall the method using regsvr32.

  • Install the method using regsvr32.

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • If uninstall or install fails.

149.1.1 - EAP Methods will produce a human-readable debug tracing log that enables administrators or other users to investigate and determine the cause of failures (Manual)

This test verifies that EAP method produce human readable trace logs. This test case needs user interaction in DTM client side.

Overview

The test performs the following steps:

  • Checks the status of the trace file/event.

  • Runs the Authentication session with the method.

  • Ensure that method has written to trace logs/event channel.

  • Verify that the trace logs/events are human readable.

Results Interpretation

The test writes the pass/fail results to a log file.

The test fails if:

  • As part of authentication method writes non human readable characters to the trace logs.

User Interactions

User has to do the following tasks for Plain (.log).

  • In the DTM studio, select the log type as "Plain (.log)" and enter "Trace File Path". Schedule the job, and then at the DTM client, the following interactions are needed.

  • Enable the method specific trace (which will be written to C:\windows\tracing) and then press Ok.

  • An authentication session will be run as part of the test case.

  • Disable the method trace and then press Ok.

  • The trace file will be displayed in notepad.

  • Verify whether trace file is human readable or not and then close the file.

  • Enter the appropriate choice (Yes/No) in the dialog box that follows.

  • End of the test case.

User has to do the following tasks for Windows Event log.

  • Make sure Event is registered. This can be verified using Windows Event Viewer.

  • In the DTM Studio select log type as "Windows Event" and enter "Channel\Provider Name". Schedule the job, and then at the DTM client the following interactions are needed.

  • An authentication session will be run as part of the test case.

  • If event is detected, then the following dialog is displayed: "Events detected, please open Event Viewer, verify events and answer the below question. Is the Event Readable?"

  • Verify whether the events contain password information or not.

  • Enter the appropriate choice (Yes/No) in the dialog box.

  • End of the test case.

149.1.2 - EAP Method debug tracing may be turned-off by default

This test verifies that Method tracing should be disabled by default.

Overview

The test performs the following steps:

  • Check the state of trace file.

  • Run an authentication session.

  • Check the trace file.

Results Interpretation

The test writes the pass/fail results to a log file.

150.1.1 - The EAP Method Binary MUST export all mandatory EAP APIs

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

Troubleshooting tips

Make sure the location of the method DLL is properly entered in the UI

150.1.2 - ECP Submissions MUST NOT include any binaries that are expected to execute in kernel-mode. ECP Submissions are expressly prohibited from shipping kernel-mode drivers of any kind (i.e. SYS, etc)

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

150.1.3 - EAP Method Submissions MUST NOT take a dependency on .NET framework

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

150.1.4 - EAP Methods MUST demonstrate successful end-to-end authentication

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

Troubleshooting tips

Make sure your radius server is available and an end-to-end authentication is happening before executing this case. This case will require the use of connection.xml and a user.xml to carry out the end to end authentication.

150.1.5 - EAP Method MUST NOT make any assumptions about the underlying transport

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

Troubleshooting tips

Make sure your radius server is available and an end-to-end authentication is happening before executing this case. This case will require the use of connection.xml and a user.xml to carry out the end to end authentication.

150.1.6 - All implemented EAP method APIs will successfully survive comprehensive API fuzz testing without error. There should not be any observable resource leaks.

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

Troubleshooting tips

Make sure the location of the method is properly entered in the UI

150.1.7 - EAP Methods MUST NOT load any DLLs or cause to be loaded any DLLs that are not provided with the submission or provided by Windows itself

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

150.1.8 - EAP Methods MUST NOT initiate, terminate or pass-through any IPC

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

150.1.10 - EAP Method Submissions MUST include a peer method implementation

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

150.1.28 - EAP Methods MUST support UI suppression request bit through EapHostPeerBeginSession() suppressing informational UI.

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

150.1.29 - EAP Methods MUST support alternate credentials bit through EapHostPeerBeginSession().

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

150.1.30 - EAP Methods MUST always perform legal state transitions.

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

150.1.31 - EAP Methods must implement Peer runtime routines for all these functions

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

150.1.32 - EAP Methods MUST provide an XML schema that defines and is used to validate XML configuration documents.

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

Troubleshooting tips

Make sure the full path to the location of your XML schema file (.xsd) is entered correctly in the DTM UI

150.1.33 - EAP Methods MUST pass configuration XML to BLOB, configuration BLOB to XML inter-conversion test

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

Troubleshooting tips

Make sure your XML files are entered correctly in the DTM file. Make sure your XML files are valid and the data inside them adhere to the XML standards

151.1.1 - EAP Method Submissions MUST accurately set appropriate security and property descriptor bits for the EAP method (peer).

Overview

Self explanatory

Results Interpretation

The test writes the pass/fail results to a log file.

Troubleshooting tips

Please indicate the proper security descriptor during submission. Your will be presented with a UID, make sure you click the check boxes that corresponds to the security descriptor as the method supports

153.1.1 - EAP Methods that export keys must export them only to EAPHost and to no other destination. The keys will be delivered directly to the lower layer for consumption and use entirely at that layer. Keys may not be distributed outside of the lower layer per RFC. The keys must be exported in the following manner: MSK using the MS-MPPE extension. EMSK using the EMSK extension (Manual).

Overview

The method must not handle key distribution it's potentially very compromising to handle store or export these key

Results Interpretation

The test writes the pass/fail results to a log file.

 

 

Build date: 9/14/2012