On Jun 15, 2026, at 12:43 PM, Heikki Vatiainen <[email protected]> wrote: > While 7170bis clarifies a number of topics, there are still different views > on how TEAPv1 should work.
I would also add that there is limited negotiation of inner authentication.
i.e. Does the supplicant have machine+user, or machine, or user? Which
ones are required / optional?
Does the server allow machine + user, or just machine, or just user?
One use-case is that we would like to allow systems to be authenticated using
"machine" credentials, so that it can be placed into a limited network for OS
updates, etc. However, if a user is logged in, it would be nice to do "machine
+ user" authentication. So that the machine can be placed into a more open
network.
This use-case appears to be either difficult or impossible with TEAPv1. At
the minimum, it is unclear how to do it.
Alan DeKok.
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Emu mailing list -- [email protected] To unsubscribe send an email to [email protected]
