Skip to main content

4. Using TLS Bootstrapping in EAP

For EAP use, RFC 9966 uses the NAI mechanisms from RFC 9965. The username "tls-pok-dpp" MUST be included, yielding the initial identity "[email protected]". This identifier MUST be included in the EAP Identity response to indicate TEAP.

EAP Peer                EAP Server
-------- ----------
<- EAP-Request/
Identity

EAP-Response/
Identity
([email protected]) ->

<- EAP-Request/
EAP-Type=TEAP
(TLS Start)

EAP-Response/
EAP-Type=TEAP
(TLS client_hello with
tls_cert_with_extern_psk
and pre_shared_key) ->

After TLS completes, client and server have mutual trust. The server can provision a credential, for example using TEAP. The BSK is only used during bootstrap and not for later EAP authentication.