2.2.3.2.6 MsPeapConnectionProperties

The Microsoft implementation of PEAP overrides the abstract type BaseEapTypeParameters with type MsPeapConnectionPropertiesV1. This type is defined to be a string formatted according to the XML schema in section 6.9.1. The MsPeapConnectionPropertiesV1 type defines the following elements:

ServerValidation: An optional element of type ServerValidationParameters (section 2.2.3.2.8).

IdentityPrivacy: An optional element<31> of type IdentityPrivacyParameters which contains information about anonymous identity usage during PEAP authentication. Use of this element is deprecated. If the PeapExtensions element exists, this IdentityPrivacy element is ignored and the IdentityPrivacy tag of PeapExtensions MUST be used instead. This element contains the following elements:

EnableIdentityPrivacy: An optional Boolean that indicates whether IdentityPrivacy is enabled. If TRUE, an anonymous identity is substituted for the user's true identity. If AnonymousUserName is not specified, an empty string identity is used.

AnonymousUserName: Contains an anonymous identity used in place of a user's true identify. It is sent during Phase 1 of PEAP authentication, as specified in [MS-PEAP] section 3.1.5.4, when Identity is sent as clear text. Anonymous identity usage is determined by the EnableIdentityPrivacy element. If EnableIdentityPrivacy is FALSE, AnonymousUserName is ignored.

FastReconnect: An optional Boolean. If TRUE, PEAP attempts to use Fast Reconnect. If FALSE, full authentication is used.

InnerEapOptional: An optional Boolean. If TRUE, PEAP does not attempt to perform inner EAP method authentication.

Eap: An element of type BaseEap (section 2.2.3.2.4) containing parameters for the inner EAP method.

EnableQuarantineChecks: An optional Boolean. If TRUE, PEAP performs NAP authorization checks as part of Phase 2 authentication as specified in [MS-PEAP] section 3.1.5.6. If FALSE or absent, it does not.

RequireCryptoBinding: An optional Boolean. If TRUE, PEAP performs CrypoBinding validation as part of authentication result negotiation. If FALSE or absent, it does not.

PeapExtensions: An extensible field reserved for future extensions to the Microsoft PEAP implementation.

The MsPeapConnectionPropertiesV2 schema (section 6.9.2) defines the following additional elements in PeapExtensions, using a new MsPeapConnectionPropertiesv2 namespace.<32>

PerformServerValidation: An optional Boolean that indicates whether server validation is performed.

AcceptServerName: An optional Boolean that indicates whether the server name is validated against the name string specified in the ServerNames (ServerValidationParameters) element.

IdentityPrivacy: An optional element of type IdentityPrivacyParameters, that contains information about anonymous identity usage during PEAP authentication. This element contains the following elements:

EnableIdentityPrivacy: An optional Boolean which indicates whether IdentityPrivacy is enabled. If TRUE, an anonymous identity is substituted for the user's true identity.

AnonymousUserName: Contains an anonymous identity used in place of a user's true identity. It is sent during Phase 1 of PEAP authentication, as specified in [MS-PEAP] section 3.1.5.4, when the Identity is sent as clear text. Anonymous identity usage is determined by the EnableIdentityPrivacy element. If EnableIdentityPrivacy is FALSE, AnonymousUserName is ignored.

PeapExtensionsV2: An extensible field reserved for future extensions to the Microsoft PEAP implementation.

The MsPeapConnectionPropertiesV3 schema (section 6.9.3) defines the following additional optional elements<33> in PeapExtensionsV2:

AllowPromptingWhenServerCANotFound: An optional Boolean which specifies method behavior in case the server's certificate does not chain to a trusted root. If TRUE, the user is prompted to manually accept or reject the certificate. If FALSE, certificate errors will cause the connection to be refused.

PeapExtensionsV3: An extensible field reserved for future extensions to the Microsoft PEAP implementation.