On Jan 2, 2023, at 5:16 AM, Alexander Clouter <[email protected]> wrote:
> I flagged earlier how EAP sequences are very poorly defined in general for 
> any EAP method and for TEAP it is no different. I would like to see some 
> language to help steer implementers in the right direction.

  Very much so, yes.

> To interop with Windows 10/11, the server needs to front load every 
> EAP-Payload-TLV sequence with an EAP-Request/Identity (in addition to the 
> Identity-Type-TLV)  otherwise things will not work; similarly if you omit the 
> Identity-Type-TLV Windows will just stall and reply with the empty EAP 
> Identity and go no further.
> 
> This sort of makes sense when you view each EAP-Payload-TLV sequence as a 
> standalone authentication, but it is easy to miss that you need to rollback 
> your EAP state machine all the way to the beginning rather than just fly 
> straight into EAP-TLS/EAP-FAST-MSCHAPv2/whatever.

  It makes sense, but it's somewhat surprising, in that the current text does 
not make this clear.  Perhaps we can do:

EAP method messages are carried within EAP-Payload TLVs defined in
[](#eap-payload-tlv).  Note that in this use-case, TEAP is simply a
carrier for EAP, much as RADIUS is a carrier for EAP.  The full EAP
state machine is run as normal, and is carried over the EAP-Payload
TLV.

A TEAP server therefore MUST begin an EAP authentication with an
EAP-Request/Identity (carried in an EAP-Payload TLV), and MUST finish
the EAP conversation with an EAP Success or EAP Failure packet (also
carried in an EAP-Payload TLV)


> Appendix C.6 (Sequence of EAP Methods) will need to be updated to show this 
> too.

  The text has this, which seems sufficient:

                            <- EAP-Request/
                              EAP-Type=TEAP, V=1
                              (TLS change_cipher_spec,
                               TLS finished,
                               Identity-Type TLV,
                              EAP-Payload-TLV[
                              EAP-Request/Identity])


> So section 3.3.1 should have something like:
> 
> "Implementers should treat EAP-Payload-TLV as a separate/isolated EAP 
> authentication which means your state machine has to be rolled back to 
> sending/expecting an EAP-Identity request/response. This is in addition to 
> the Identity-Type-TLV, Intermediate-Result-TLV and Cryptobinding-TLV".

  I'll see if I can add something in.

  Alan DeKok.

_______________________________________________
Emu mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/emu

Reply via email to