1# Extensible Authentication 2 3<!--Kit: Network Kit--> 4<!--Subsystem: Communication--> 5<!--Owner: @foredward--> 6<!--Designer: @h00918518--> 7<!--Tester: @WIFIroam-test--> 8<!--Adviser: @zhang_yixin13--> 9 10## Introduction 11 12Extensible authentication is a mechanism provided by the **eap** module to enable third-party clients to participate in custom 802.1X (a port-based network access control protocol) authentication, such as Extensible Authentication Protocol (EAP) authentication. 13 14> **NOTE** 15> 16> This functionality is supported since API version 20. 17 18To implement extensible authentication, the clients should be able to: 19 201. Encapsulate private data into EAP protocol packets based on the data structure agreed upon by the client and authentication server. 212. During the authentication, perform custom actions such as security check scanning on the local host, and send an authentication response after the custom action is complete. 22 The OS is required to provide a mechanism for third-party clients to participate in 802.1X authentication. 23 24 25To meet the preceding requirements, the custom 802.1X authentication mechanism should be able to support: 26 271. Customizing the listening for 802.1X packets and adapt the packet exchange process. 282. Initiating 802.1X authentication and deauthentication on the **eth** network port. 29 30## When to Use 31 32Typical application scenarios of the custom 802.1X authentication include: 33 341. For enterprise network management applications, custom security verification needs to be added to the enterprise Wi-Fi's 802.1X authentication process to access the enterprise intranet. The required functions include: 35 36 - Customization of the packet type and EAP type for custom authentication. 37 - Setting of the standard authentication result based on the custom authentication result. 38 392. For enterprise network management applications, 802.1X authentication needs to be implemented on the **eth** network port to access the enterprise intranet. The required functions include: 40 41 - Support for the standard 802.1X authentication process. 42 - Customization of the 802.1X authentication process. 43 44The following describes the development procedure specific to each application scenario. 45 46## Adding Custom Security Verification to the 802.1X Authentication Process 47 481. Import the **eap** namespace from **@kit.NetworkKit**. 49 50 ```ts 51 import {eap} from '@kit.NetworkKit'; 52 ``` 532. Call [regCustomEapHandler](../reference/apis-network-kit/js-apis-net-eap.md#eapregcustomeaphandler) to register the EAP packet types to listen for. During 802.1X authentication, the system will encapsulate the eligible EAP packets into the callback function for enterprise applications to retrieve. 54 55 ```ts 56 import {eap} from '@kit.NetworkKit'; 57 let netType = 1; 58 let eapCode = 1; 59 let eapType = 25; 60 let eapData = (eapData:eap.EapData):void => { 61 console.info("rsp result",JSON.stringify(eapData)); 62 } 63 64 try { 65 eap.regCustomEapHandler(netType, eapCode, eapType, eapData); 66 console.info('regCustomEapHandler success'); 67 } catch (err) { 68 console.error('errCode: ' + err.code + ', errMessage: ' + err.message); 69 } 70 ``` 713. After the EAP packets are transferred to the callback function, block the 802.1X authentication process so that the enterprise applications can retrieve the complete packet content. 724. If the packets of the registered packet type are sent from the server to the client, they include the custom content added by the server. Determine whether to continue the subsequent steps based on the custom content, and call [replyCustomEapData](../reference/apis-network-kit/js-apis-net-eap.md#eapreplycustomeapdata) to send the packets to the system. 73 74 ```ts 75 import {eap} from '@kit.NetworkKit'; 76 let netType = 1; 77 let eapCode= 1; // eap request 78 let eapType= 25; // EAP_PEAP 79 let result = 1; 80 let eapData = (eapData:eap.EapData):void => { 81 try{ 82 eap.replyCustomEapData(result, eapData); 83 console.info('replyCustomEapData success'); 84 } catch (err) { 85 console.error('errCode: ' + err.code + ' , errMessage: ' + err.message); 86 } 87 } 88 89 try{ 90 eap.regCustomEapHandler(netType, eapCode, eapType, eapData); 91 console.info('regCustomEapHandler success'); 92 } catch (err) { 93 console.error('errCode: ' + err.code + 'errMessage: ' + err.message); 94 } 95 ``` 965. If the packets of the registered packet type are sent from the client to the server, they are the original 802.1X authentication packets. Add the custom content to the original packets, and then call [replyCustomEapData](../reference/apis-network-kit/js-apis-net-eap.md#eapreplycustomeapdata) to send the packets to the system. 97 98 ```ts 99 import {eap} from '@kit.NetworkKit'; 100 let netType = 1; 101 let eapCode= 2; // eap response 102 let eapType= 25; // EAP_PEAP 103 let result = 1; 104 let eapData = (eapData:eap.EapData):void => { 105 try{ 106 eap.replyCustomEapData(result, eapData); 107 console.info('replyCustomEapData success'); 108 } catch (err) { 109 console.error('errCode: ' + err.code + ' , errMessage: ' + err.message); 110 } 111 } 112 113 try{ 114 eap.regCustomEapHandler(netType, eapCode, eapType, eapData); 115 console.info('regCustomEapHandler success'); 116 } catch (err) { 117 console.error('errCode: ' + err.code + 'errMessage: ' + err.message); 118 } 119 ``` 1206. To cancel custom security verification in the 802.1X authentication process, call [unregCustomEapHandler](../reference/apis-network-kit/js-apis-net-eap.md#eapunregcustomeaphandler). 121 122 ```ts 123 import {eap} from '@kit.NetworkKit'; 124 let netType = 1; 125 let eapCode = 1; 126 let eapType = 25; 127 let eapData = (eapData:eap.EapData):void => { 128 console.info("rsp result",JSON.stringify(eapData)); 129 } 130 131 try { 132 eap.unregCustomEapHandler(netType, eapCode, eapType, eapData); 133 console.info('unregCustomEapHandler success'); 134 } catch (err) { 135 console.error('errCode: ' + err.code + ', errMessage: ' + err.message); 136 } 137 138 ``` 139 140## Initiating 802.1X Authentication on the eth Network Port 141 1421. Use a network cable to connect the device to the **eth** network port. 1432. Import the **eap** namespace from **@kit.NetworkKit**. 144 145 ```ts 146 import {eap} from '@kit.NetworkKit'; 147 ``` 1483. If authentication is required for the network management applications, call [startEthEap](../reference/apis-network-kit/js-apis-net-eap.md#eapstartetheap) to initiate the 802.1X authentication process. 149 150 ```ts 151 import {eap} from '@kit.NetworkKit'; 152 let netId = 100; 153 let profile: eap.EthEapProfile = { 154 eapMethod: eap.EapMethod.EAP_TTLS, 155 phase2Method: eap.Phase2Method.PHASE2_AKA_PRIME, 156 identity: "identity", 157 anonymousIdentity: "anonymousIdentity", 158 password: "password", 159 caCertAliases: "caCertAliases", 160 caPath: "caPath", 161 clientCertAliases: "clientCertAliases", 162 certEntry: new Uint8Array([5,6,7,8,9,10]), 163 certPassword: "certPassword", 164 altSubjectMatch: "altSubjectMatch", 165 domainSuffixMatch: "domainSuffixMatch", 166 realm: "realm", 167 plmn: "plmn", 168 eapSubId: 1 169 }; 170 171 try { 172 eap.startEthEap(netId, profile); 173 console.info('startEthEap success'); 174 } catch (err) { 175 console.error('errCode: ' + err.code + ', errMessage: ' + err.message); 176 } 177 ``` 1784. If authentication is not required for the network management applications, call [logOffEthEap](../reference/apis-network-kit/js-apis-net-eap.md#eaplogoffetheap) to initiate the 802.1X deauthentication process. 179 180 ```ts 181 import {eap} from '@kit.NetworkKit'; 182 let netId = 100; 183 try{ 184 eap.logOffEthEap(netId); 185 console.error("logOffEthEap success"); 186 } catch (err) { 187 console.error('errCode: ' + err.code + ', errMessage: ' + err.message); 188 } 189 ``` 190