On Jan 2, 2023, at 3:45 PM, Alexander Clouter <[email protected]> wrote: > It shows it for the *first* method but not subsequent methods.
Ah. And it doesn't show the inner EAP authentication method finishing with EAP Success or EAP Failure. > For later methods it shows: > > <- Intermediate Result TLV (Success), > Crypto-Binding TLV (Request), > Identity-Type TLV, > EAP Payload TLV [EAP-Type=Y], > > // Next EAP conversation started after successful completion > of previous method X. The Intermediate-Result and Crypto- > Binding TLVs are sent in next packet to minimize round > trips. In this example, an identity request is not sent > before negotiating EAP-Type=Y. That last sentence is wrong. I'll delete it. > I can go back and dig into this more to see if my conclusion was right (ie. > must send EAP-Identity for every method in sequence) if that helps? I don't think that's necessary. It should be enough to just always require EAP-Request/Identity when starting an EAP conversation, and EAP Success or EAP Failure when finishing one. Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
