[This is preliminary documentation and subject to change.]
When creating a phonebook entry for a particular connection, the user will select an authentication protocol to use for that connection. The authentication protocol may require configuration. If so, the Dial-Up Networking user interface (UI) will display a configuration user interface by calling the RasEapInvokeConfigUI function. The Dial-Up Networking UI stores the connection-specific configuration information returned by RasEapInvokeConfigUI in the phonebook entry. Additionally, the Dial-Up Networking UI stores the user-specific configuration information in the registry under HKEY_CURRENT_USER. The setup program for the authentication protocol may also store default configuration information in the registry. For more information, see EAP Installation.
The Dial-Up Networking UI will request an identity for the user. If the authentication protocol has RAS_EAP_VALUENAME_INVOKE_STDUI set to one in the registry, the Dial-Up Networking UI will display the standard Windows NT credentials dialog. Otherwise, the identity may be of a type specific to the authentication protocol, for example a certificate or numeric ID. In either case, the identity information will also be stored in the registry under HKEY_CURRENT_USER. The setup program for the authentication protocol may also store default identity information in the registry. For more information, see EAP Installation.
When RAS attempts to establish the connection, it will call the RasEapBegin function for the specified authentication protocol. This allows the protocol to allocate and initialize a work buffer that RAS will pass on subsequent calls to RasEapMakeMessage and RasEapEnd. In RasEapBegin, RAS will also pass a PPP_EAP_INPUT structure that contains a pointer to the configuration information for the connection.
Within the PPP_EAP_INPUT structure, the fAuthenticator member indicates whether the authentication protocol is being invoked as an authenticatee (client) or authenticator (server). On the client, RAS will always pass in values for the pszIdentity and pszPassword members. On the server, RAS will always pass in a value for pszIdentity.
If the RasEapBegin call returns any value other than NO_ERROR, the session will be disconnected. The returned error will be logged (on the server), or displayed to the user (on the client).