📄 draft-kamath-pppext-peapv0-00.txt
字号:
TLS finished) -> <- EAP-Request/ EAP-Type=PEAP, V=0 (TLS change_cipher_spec, TLS finished)EAP-Response/EAP-Type=PEAP, V=0 ->TLS channel established(messages sent within the TLS channel)Kamath, Palekar & Wodrich Informational [Page 13]INTERNET-DRAFT PEAP Version 0 25 October 2002 <- EAP-Request/ IdentityEAP-Response/Identity (MyID) -> <- EAP-Request/ EAP-Type=XEAP-Response/EAP-Type=X or NAK -> <- EAP-Request/ EAP-Type=XEAP-Response/EAP-Type=X -> <- EAP-Request/ EAP-Type=Extensions Result=FailureEAP-Response/EAP-Type=ExtensionsResult=Failure ->(TLS session cache entry flushed)TLS channel torn down(messages sent in clear-text) <- EAP-FailureIn the case where server authentication is unsuccessful in PEAP Part 1,the conversation will appear as follows:Authenticating Peer Authenticator------------------- ------------- <- EAP-Request/ IdentityEAP-Response/Identity (MyID) -> <- EAP-Request/ EAP-Type=PEAP, V=0 (PEAP Start)EAP-Response/EAP-Type=PEAP, V=0(TLS client_hello)-> <- EAP-Request/ EAP-Type=PEAP, V=0 (TLS server_hello, TLS certificate, [TLS server_key_exchange,] TLS server_hello_done)EAP-Response/Kamath, Palekar & Wodrich Informational [Page 14]INTERNET-DRAFT PEAP Version 0 25 October 2002EAP-Type=PEAP, V=0(TLS client_key_exchange,[TLS certificate_verify,] TLS change_cipher_spec, TLS finished) -> <- EAP-Request/ EAP-Type=PEAP, V=0 (TLS change_cipher_spec, TLS finished)EAP-Response/EAP-Type=PEAP, V=0(TLS change_cipher_spec,TLS finished) <- EAP-Request/ EAP-Type=PEAP, V=0EAP-Response/EAP-Type=PEAP, V=0(TLS Alert message) -> <- EAP-Failure (TLS session cache entry flushed)In the case where a previously established session is being resumed,the EAP server supports TLS session cacheflushing for unsuccessful PEAP Part 2 authentications and both sidesauthenticate successfully, the conversationwill appear as follows:Authenticating Peer Authenticator------------------- ------------- <- EAP-Request/ IdentityEAP-Response/Identity (MyID) -> <- EAP-Request/ EAP-Type=PEAP,V=0 (PEAP Start)EAP-Response/EAP-Type=PEAP, V=0(TLS client_hello)-> <- EAP-Request/ EAP-Type=PEAP, V=0 (TLS server_hello, TLS change_cipher_spec TLS finished)EAP-Response/EAP-Type=PEAP, V=0(TLS change_cipher_spec,Kamath, Palekar & Wodrich Informational [Page 15]INTERNET-DRAFT PEAP Version 0 25 October 2002 TLS finished) -> <- EAP-Request/ EAP-Type=Extensions Result=SuccessEAP-Response/EAP-Type=ExtensionsResult=Success ->TLS channel torn down(messages sent in clear-text) <- EAP-SuccessIn the case where a previously established session is being resumed, and theserver authenticates to the client successfullybut the client fails to authenticate to the server, the conversationwill appear as follows:Authenticating Peer Authenticator------------------- ------------- <- EAP-Request/ IdentityEAP-Response/Identity (MyID) -> <- EAP-Request/ EAP-Request/ EAP-Type=PEAP, V=0 (TLS Start)EAP-Response/EAP-Type=PEAP, V=0(TLS client_hello) -> <- EAP-Request/ EAP-Type=PEAP, V=0 (TLS server_hello, TLS change_cipher_spec, TLS finished)EAP-Response/EAP-Type=PEAP, V=0(TLS change_cipher_spec, TLS finished) -> <- EAP-Request EAP-Type=PEAP, V=0 (TLS Alert message)EAP-ResponseEAP-Type=PEAP, V=0 -> <- EAP-Failure (TLS session cache entry flushed)In the case where a previously established session is being resumed,Kamath, Palekar & Wodrich Informational [Page 16]INTERNET-DRAFT PEAP Version 0 25 October 2002and the server authentication is unsuccessful,the conversation will appear as follows:Authenticating Peer Authenticator------------------- ------------- <- EAP-Request/ IdentityEAP-Response/Identity (MyID) -> <- EAP-Request/ EAP-Request/ EAP-Type=PEAP, V=0 (TLS Start)EAP-Response/EAP-Type=PEAP, V=0(TLS client_hello)-> <- EAP-Request/ EAP-Type=PEAP, V=0 (TLS server_hello, TLS change_cipher_spec, TLS finished)EAP-Response/EAP-Type=PEAP, V=0(TLS change_cipher_spec,TLS finished) <- EAP-Request/ EAP-Type=PEAP, V=0EAP-Response/EAP-Type=PEAP, V=0(TLS Alert message) ->(TLS session cache entry flushed) <- EAP-FailureIn the case where the peer and authenticator have mismatched PEAP versions(e.g. the peer has a pre-standard implementationwith version 0, and the authenticator has a Version 1 implementation,but the authentication is unsuccessful, the conversation will occur as follows:Authenticating Peer Authenticator------------------- ------------- <- EAP-Request/ IdentityEAP-Response/Identity (MyID) -> <- EAP-Request/ EAP-Request/ EAP-Type=PEAP, V=1Kamath, Palekar & Wodrich Informational [Page 17]INTERNET-DRAFT PEAP Version 0 25 October 2002 (TLS Start)EAP-Response/EAP-Type=PEAP, V=0(TLS client_hello)-> <- EAP-Request/ EAP-Type=PEAP, V=0 (TLS server_hello, TLS change_cipher_spec, TLS finished)EAP-Response/EAP-Type=PEAP, V=0(TLS change_cipher_spec,TLS finished) <- EAP-Request/ EAP-Type=PEAP, V=0EAP-Response/EAP-Type=PEAP, V=0(TLS Alert message) ->(TLS session cache entry flushed) <- EAP-FailureAcknowledgmentsThanks to Narendra Gidwani of Microsoft for useful discussions of thisproblem space.Author AddressesVivek KamathAshwin PalekarMark WodrichMicrosoft CorporationOne Microsoft WayRedmond, WA 98052Phone: +1 425 882 8080EMail: {vivek, ashwinp, markwo}@microsoft.comIntellectual Property StatementThe IETF takes no position regarding the validity or scope of anyintellectual property or other rights that might be claimed to pertainto the implementation or use of the technology described in thisdocument or the extent to which any license under such rights might ormight not be available; neither does it represent that it has made anyeffort to identify any such rights. Information on the IETF'sprocedures with respect to rights in standards-track and standards-Kamath, Palekar & Wodrich Informational [Page 18]INTERNET-DRAFT PEAP Version 0 25 October 2002related documentation can be found in BCP-11. Copies of claims ofrights made available for publication and any assurances of licenses tobe made available, or the result of an attempt made to obtain a generallicense or permission for the use of such proprietary rights byimplementors or users of this specification can be obtained from theIETF Secretariat.The IETF invites any interested Party to bring to its attention anycopyrights, patents or patent applications, or other proprietary rightswhich may cover technology that may be required to practice thisstandard. Please address the information to the IETF ExecutiveDirector.Full Copyright StatementCopyright (C) The Internet Society (2002). All Rights Reserved.This document and translations of it may be copied and furnished toothers, and derivative works that comment on or otherwise explain it orassist in its implementation may be prepared, copied, published anddistributed, in whole or in Part, without restriction of any kind,provided that the above copyright notice and this paragraph are includedon all such copies and derivative works. However, this document itselfmay not be modified in any way, such as by removing the copyright noticeor references to the Internet Society or other Internet organizations,except as needed for the purpose of developing Internet standards inwhich case the procedures for copyrights defined in the InternetStandards process must be followed, or as required to translate it intolanguages other than English. The limited permissions granted above areperpetual and will not be revoked by the Internet Society or itssuccessors or assigns. This document and the information containedherein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THEINFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIEDWARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."Expiration DateThis memo is filed as <draft-kamath-pppext-peapv0-00.txt>, and expiresApril 23, 2002.Kamath, Palekar & Wodrich Informational [Page 19]⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -