1) RC 5281 allows for the use of client certificates only, and skipping all
"inner" authentication.
I don't know of any RADIUS server or supplicant which supports this. It may
be theoretically possible, but it's not widely used.
The current draft forbids this in Section 2.4.1. Because (a) it's not used,
and (c) equivalent functionality exists in EAP-TLS
2) the draft should be updated to add a note that when a supplicant sends
PAP/CHAP for phase 2 of TTLS, the expected responses are:
EAP-Success
EAP-Failure
Ongoing TLS negotiation, with a resumption ticket.
At least one implementation expects success/failure, and treats ongoing TLS
negotiation as a failure.
If we squint hard, we could view the resumption ticket as a "protected
success indicator". So it might be worth adding that it's a good idea to send,
even if the server has no intention of doing resumption.
If there are no objections or comments, I'll update the draft with some text
saying the above. I'll issue a new version next week.
Alan DeKok.
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
