What about RFC 4334?
As far as I know, no EAP-TLS implementation supports RFC 4334 and I don't think we should be encouraging implementers to support it.
The OIDs defined in RFC 4334 do not correspond to values of the NAS-Port-Type attribute, so the backend authentication server certificate handling code would need to be updated everytime a new value were to be assigned; the AAA server can't just check that the NAS-Port-Type attribute includes a value that matches one of the OIDs in the client certificate. Similarly, client code would need to be updated every time a new EAP lower layer was defined, since the client would need to check if the server certificate contained an OID allowing it to be used to authorize a given EAP lower layer.
As a result, I think that RFC 4334 compromises the ability of EAP-TLS to run over any suitable lower layer without code changes.
_______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
