On Jun 15, 2026, at 12:43 PM, Heikki Vatiainen <[email protected]> 
wrote:
> While 7170bis clarifies a number of topics, there are still different views 
> on how TEAPv1 should work. 

  I would also add that there is limited negotiation of inner authentication.

     i.e. Does the supplicant have machine+user, or machine, or user?  Which 
ones are required / optional?

     Does the server allow machine + user, or just machine, or just user?

  One use-case is that we would like to allow systems to be authenticated using 
"machine" credentials, so that it can be placed into a limited network for OS 
updates, etc.  However, if a user is logged in, it would be nice to do "machine 
+ user" authentication.  So that the machine can be placed into a more open 
network.

  This use-case appears to be either difficult or impossible with TEAPv1.  At 
the minimum, it is unclear how to do it.

  Alan DeKok.

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
Emu mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to