Skip to main content

1. Introduction

EAP usually requires pre-provisioned credentials. A device without credentials cannot obtain network access to get credentials, creating a bootstrapping problem. RFC 9965 defines well-known provisioning credentials, called EAP Provisioning Identifiers (EPIs), that peers can submit to obtain limited network access only for provisioning.

The device can do provisioning inside EAP, as with EAP-NOOB or TEAP, or it can use EAP to obtain access to a limited captive portal. Once provisioned, the device drops the provisioning connection and authenticates again using the new credentials.

Existing EAP-TLS and TEAP specifications mention peer unauthenticated access but do not define how a peer signals that request. RFC 9965 supplies that signaling model.