Thanks Yaov and Glen, I could successfully calculate the challenge response. Now, after the challenge response is successful, the server will send EAP-SUCCESS, then the client has to send a AUTH payload. As eap-md5 doesn't result in any key like eap-aka/sim, the client will use the same password(used for calculating challenge response) to calculate AUTH payload. If so, why there is an explicit auth required here. EAP-SUCCESS, can itself indicate that the client is authenticated.
Maybe, it is required for some extra authentication? Regards, Prashant -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Glen Zorn Sent: Tuesday, October 25, 2011 3:46 PM To: Yoav Nir Cc: [email protected]; Prashant Batra (prbatra) Subject: Re: [IPsec] eap-md5 based authentication On 10/25/2011 3:35 PM, Yoav Nir wrote: > Hi Prashant. > > I think in the challenge request, the first byte is the challenge length > (usually 16) followed by the challenge itself, and then followed by some > server name. I guess the reasoning is that this allows the client to > choose the correct password based on the server name. The format is defined in Section 4.1 of RFC 1994 ... _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
