4. Interaction with EAP Methods
Password-based EAP methods SHOULD use the provisioning identifier as the password when a password is required. TLS-based methods that have inner identities or passwords SHOULD also use the provisioning identifier for those inner credentials.
Provisioning via TLS-based EAP methods is RECOMMENDED because TLS can authenticate the EAP server and protect provisioning data. Every provisioning method under eap.arpa. MUST define a way to authenticate the server.
TLS-based EAP methods MUST continue to validate EAP server certificates except in provisioning situations specifically defined by the provisioning method. If provisioning happens through another protocol such as HTTPS, the peer MAY skip EAP server certificate validation, but it MUST treat the local network as untrusted.
4.2. EAP-TLS
RFC 9965 defines [email protected] for unauthenticated EAP-TLS to request captive portal access. Peer unauthenticated access MUST still authenticate the EAP server, such as with a server certificate. TLS-PSK with a well-known PSK is generally not appropriate because it does not provide server authentication.
4.3. EAP-NOOB
EAP-NOOB servers are RECOMMENDED to accept both [email protected] and @noob.eap.arpa as synonyms. EAP-NOOB peers are RECOMMENDED to try @noob.eap.arpa first and then [email protected].