1) RC 5281 allows for the use of client certificates only, and skipping all "inner" authentication.
I don't know of any RADIUS server or supplicant which supports this. It may be theoretically possible, but it's not widely used. The current draft forbids this in Section 2.4.1. Because (a) it's not used, and (c) equivalent functionality exists in EAP-TLS 2) the draft should be updated to add a note that when a supplicant sends PAP/CHAP for phase 2 of TTLS, the expected responses are: EAP-Success EAP-Failure Ongoing TLS negotiation, with a resumption ticket. At least one implementation expects success/failure, and treats ongoing TLS negotiation as a failure. If we squint hard, we could view the resumption ticket as a "protected success indicator". So it might be worth adding that it's a good idea to send, even if the server has no intention of doing resumption. If there are no objections or comments, I'll update the draft with some text saying the above. I'll issue a new version next week. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu