On Tue, 12 Mar 2024, at 14:45, Jan-Frederik Rieckers wrote: > On 12.03.24 13:45, Alexander Clouter wrote: >> On Tue, 12 Mar 2024, at 12:37, Yanlei(Ray) wrote: >>> My understanding here is that the EAP server and client will not >>> authenticate each other in EAP-TLS, and all the authentication will be >>> done in the " captive portal ". So why recommend EAP-TLS as a >>> provisioning method? Just send the identifier "por...@eap.arpa" and >>> then jump to a " captive portal ". Is that OK? >> >> So for OOB provisioning (ie. get an IP to access a captive portal) the >> conversation would be: >> >> >>> EAP-Identity Request >> <<< EAP-Identity Response[por...@eap.arpa] >> >>> EAP-Success >> >> Sounds sensible. > > I don't think it's that straight forward. > For Enterprise-WiFi we still need cryptographic keys for the WiFi 4-way > handshake, so establishing a TLS-Tunnel is needed to derive the WPA keys.
Nice catch. Cheers _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
