跳到主要内容

附录 C. 示例 (Examples)

本附录给出若干 TEAP 消息交换示例. 示例中的协议名, 字段名, TLV 名称, EAP 类型, TLS 消息名, 示例身份和状态值均保持原样.

C.1. 成功认证 (Successful Authentication)

以下交换展示使用基本密码认证的成功 TEAP 认证. 对话如下:

   Authenticating Peer     Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)

EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello) ->

<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
(TLS change_cipher_spec,
TLS finished)

EAP-Response/
EAP-Type=TEAP, V=1 ->
(TLS change_cipher_spec,
TLS finished)

TLS channel established
(messages sent within the TLS channel)

<- Basic-Password-Auth-Req TLV, Challenge

Basic-Password-Auth-Resp TLV, Response with both
username and password) ->

optional additional exchanges (new pin mode,
password change, etc.) ...

<- Intermediate-Result TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)

Intermediate-Result TLV (Success),
Crypto-Binding TLV(Response),
Result TLV (Success) ->

TLS channel torn down
(messages sent in cleartext)

<- EAP-Success

C.2. 认证失败 (Failed Authentication)

以下交换展示由于用户凭据错误而失败的 TEAP 认证. 对话如下:

   Authenticating Peer     Authenticator
------------------- -------------
<- EAP-Request/Identity

EAP-Response/
Identity (MyID1) ->

<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)

EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello) ->

<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
(TLS change_cipher_spec,
TLS finished)

EAP-Response/
EAP-Type=TEAP, V=1 ->
(TLS change_cipher_spec,
TLS finished)

TLS channel established
(messages sent within the TLS channel)

<- Basic-Password-Auth-Req TLV, Challenge

Basic-Password-Auth-Resp TLV, Response with both
username and password) ->

<- Intermediate-Result TLV (Failure),
Result TLV (Failure)

Intermediate-Result TLV (Failure),
Result TLV (Failure) ->

TLS channel torn down
(messages sent in cleartext)

<- EAP-Failure

C.3. 使用基于证书的密码套件进行完整 TLS 握手 (Full TLS Handshake Using Certificate-Based Cipher Suite)

在 TEAP Phase 1 中尝试缩略 TLS 握手但失败, 并回退到基于证书的完整 TLS 握手时, 对话如下:

  Authenticating Peer    Authenticator
------------------- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID1) ->

// Identity sent in the clear. May be a hint to help route
the authentication request to EAP server, instead of the
full user identity.

<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello with
SessionTicket extension)->

// If the server rejects the session resumption,
it falls through to the full TLS handshake.

<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)

EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
EAP-Payload TLV[EAP-Request/
Identity])

// TLS channel established
(messages sent within the TLS channel)

// First EAP Payload TLV is coalesced with the TLS Finished as
Application Data and protected by the TLS tunnel.

EAP-Payload TLV
[EAP-Response/Identity (MyID2)]->

// identity protected by TLS.

<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]

EAP-Payload TLV
[EAP-Response/EAP-Type=X] ->

// Method X exchanges followed by Protected Termination

<- Intermediate-Result TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)

Intermediate-Result TLV (Success),
Crypto-Binding TLV (Response),
Result TLV (Success) ->

// TLS channel torn down
(messages sent in cleartext)

<- EAP-Success

C.4. Phase 1 中带身份隐私的客户端认证 (Client Authentication During Phase 1 with Identity Privacy)

当 TEAP Phase 1 中发生基于证书的 TLS 握手, 并且需要客户端证书认证和身份隐私时, 会使用 TLS renegotiation 在受保护 TLS 隧道中传输对等方凭据. 对于 TLS 1.2, 对话如下:

  Authenticating Peer     Authenticator
------------------- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID1) ->

// Identity sent in the clear. May be a hint to help route
the authentication request to EAP server, instead of the
full user identity.

<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_key_exchange,
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
EAP-Payload TLV[EAP-Request/
Identity])

// TLS channel established
(EAP Payload messages sent within the TLS channel)

// peer sends TLS client_hello to request TLS renegotiation
TLS client_hello ->

<- TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done
[TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished ->

<- TLS change_cipher_spec,
TLS finished,
Crypto-Binding TLV (Request),
Result TLV (Success)

Crypto-Binding TLV (Response),
Result TLV (Success)) ->

//TLS channel torn down
(messages sent in cleartext)

<- EAP-Success

C.5. 分片和重组 (Fragmentation and Reassembly)

当需要 TEAP 分片时, 对话如下:

  Authenticating Peer     Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)

EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->

<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
(Fragment 1: L, M bits set)

EAP-Response/
EAP-Type=TEAP, V=1 ->

<- EAP-Request/
EAP-Type=TEAP, V=1
(Fragment 2: M bit set)
EAP-Response/
EAP-Type=TEAP, V=1 ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(Fragment 3)
EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished)
(Fragment 1: L, M bits set)->

<- EAP-Request/
EAP-Type=TEAP, V=1
EAP-Response/
EAP-Type=TEAP, V=1
(Fragment 2)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
[EAP-Payload TLV[
EAP-Request/Identity]])

// TLS channel established
(messages sent within the TLS channel)

// First EAP Payload TLV is coalesced with the TLS Finished as
Application Data and protected by the TLS tunnel.

EAP-Payload TLV
[EAP-Response/Identity (MyID2)]->

// identity protected by TLS.

<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]

EAP-Payload TLV
[EAP-Response/EAP-Type=X] ->

// Method X exchanges followed by Protected Termination

<- Intermediate-Result TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)

Intermediate-Result TLV (Success),
Crypto-Binding TLV (Response),
Result TLV (Success) ->

// TLS channel torn down
(messages sent in cleartext)

<- EAP-Success

C.6. EAP 方法序列 (Sequence of EAP Methods)

当 TEAP 协商为先执行 EAP method X, 再执行 method Y 的序列时, 对话如下:

  Authenticating Peer     Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)

EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->

<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
Identity-Type TLV,
EAP-Payload TLV[
EAP-Request/Identity])

// TLS channel established
(messages sent within the TLS channel)

// First EAP Payload TLV is coalesced with the TLS Finished as
Application Data and protected by the TLS tunnel

Identity_Type TLV
EAP-Payload TLV
[EAP-Response/Identity] ->

<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]

EAP-Payload TLV
[EAP-Response/EAP-Type=X] ->

// Optional additional X Method exchanges...

<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]

EAP-Payload TLV
[EAP-Response/EAP-Type=X]->

<- Intermediate Result TLV (Success),
Crypto-Binding TLV (Request),
Identity-Type TLV,
EAP-Payload TLV[
EAP-Request/Identity])

// Compound MAC calculated using keys generated from
EAP method X and the TLS tunnel.

// Next EAP conversation started (with EAP-Request/Identity)
after successful completion of previous method X. The
Intermediate-Result and Crypto-Binding TLVs are sent in
the next packet to minimize round trips.

Intermediate Result TLV (Success),
Crypto-Binding TLV (Response),
EAP-Payload TLV [EAP-Response/Identity (MyID2)] ->

// Optional additional EAP method Y exchanges...

<- EAP Payload TLV [
EAP-Type=Y]

EAP Payload TLV
[EAP-Type=Y] ->

<- Intermediate-Result TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)

Intermediate-Result TLV (Success),
Crypto-Binding TLV (Response),
Result TLV (Success) ->

// Compound MAC calculated using keys generated from EAP
methods X and Y and the TLS tunnel. Compound keys are
generated using keys generated from EAP methods X and Y
and the TLS tunnel.

// TLS channel torn down (messages sent in cleartext)

<- EAP-Success

C.7. 密码绑定失败 (Failed Crypto-Binding)

以下交换展示密码绑定验证失败的情况. 对话如下:

  Authenticating Peer     Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)

EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS Server Key Exchange
TLS Server Hello Done)
EAP-Response/
EAP-Type=TEAP, V=1 ->
(TLS Client Key Exchange
TLS change_cipher_spec,
TLS finished)

<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec
TLS finished)
EAP-Payload TLV[
EAP-Request/Identity])

// TLS channel established
(messages sent within the TLS channel)

// First EAP Payload TLV is coalesced with the TLS Finished as
Application Data and protected by the TLS tunnel.

EAP-Payload TLV/
EAP Identity Response ->

<- EAP Payload TLV, EAP-Request,
(EAP-FAST-MSCHAPV2, Challenge)

EAP Payload TLV, EAP-Response,
(EAP-FAST-MSCHAPV2, Response) ->

<- EAP Payload TLV, EAP-Request,
(EAP-FAST-MSCHAPV2, Success Request)

EAP Payload TLV, EAP-Response,
(EAP-FAST-MSCHAPV2, Success Response) ->

<- Intermediate-Result TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)

Intermediate-Result TLV (Success),
Result TLV (Failure)
Error TLV with
(Error Code = 2001) ->

// TLS channel torn down
(messages sent in cleartext)

<- EAP-Failure

C.8. 带 Vendor-Specific TLV 交换的 EAP 方法序列 (Sequence of EAP Method with Vendor-Specific TLV Exchange)

当 TEAP 协商为一系列 EAP 方法后接 Vendor-Specific TLV 交换时, 对话如下:

  Authenticating Peer     Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)

EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)

EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
EAP-Payload TLV[
EAP-Request/Identity])

// TLS channel established
(messages sent within the TLS channel)

// First EAP Payload TLV is coalesced with the TLS Finished as
Application Data and protected by the TLS tunnel.

EAP-Payload TLV
[EAP-Response/Identity] ->

<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]

EAP-Payload TLV
[EAP-Response/EAP-Type=X] ->

<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]

EAP-Payload TLV
[EAP-Response/EAP-Type=X]->

<- Intermediate Result TLV (Success),
Crypto-Binding TLV (Request),
Vendor-Specific TLV,

// Vendor-Specific TLV exchange started after successful
completion of previous method X. The Intermediate-Result
and Crypto-Binding TLVs are sent with Vendor-Specific TLV
in next packet to minimize round trips.

// Compound MAC calculated using keys generated from
EAP method X and the TLS tunnel.

Intermediate Result TLV (Success),
Crypto-Binding TLV (Response),
Vendor-Specific TLV ->

// Optional additional Vendor-Specific TLV exchanges...

<- Vendor-Specific TLV

Vendor-Specific TLV ->
<- Result TLV (Success)

Result TLV (Success) ->

// TLS channel torn down (messages sent in cleartext)

<- EAP-Success

C.9. 服务器发送 Result TLV 后对等方请求内部方法 (Peer Requests Inner Method After Server Sends Result TLV)

当对等方已在 Phase 1 中完成认证, 且服务器返回 Result TLV, 但对等方希望请求另一个 Inner Method 时, 对话如下:

  Authenticating Peer    Authenticator
------------------- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID1) ->

// Identity sent in the clear. May be a hint to help route
the authentication request to EAP server, instead of the
full user identity. TLS client certificate is also sent.

<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)

EAP-Response/
EAP-Type=TEAP, V=1
[TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
Crypto-Binding TLV (Request),
Result TLV (Success))

// TLS channel established
(TLV Payload messages sent within the TLS channel)

Crypto-Binding TLV(Response),
Request-Action TLV
(Status=Failure, Action=Negotiate-EAP)->

<- EAP-Payload TLV
[EAP-Request/Identity]

EAP-Payload TLV
[EAP-Response/Identity] ->

<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]

EAP-Payload TLV
[EAP-Response/EAP-Type=X] ->

<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]

EAP-Payload TLV
[EAP-Response/EAP-Type=X]->

<- Intermediate Result TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)

Intermediate Result TLV (Success),
Crypto-Binding TLV (Response),
Result TLV (Success)) ->

// TLS channel torn down
(messages sent in cleartext)

<- EAP-Success

C.10. 信道绑定 (Channel Binding)

以下交换展示使用基本密码认证和通过 Request-Action TLV 进行信道绑定的成功 TEAP 认证. 对话如下:

   Authenticating Peer     Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->

<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)

EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello) ->

<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
(TLS change_cipher_spec,
TLS finished)

EAP-Response/
EAP-Type=TEAP, V=1 ->
(TLS change_cipher_spec,
TLS finished)

TLS channel established
(messages sent within the TLS channel)

<- Basic-Password-Auth-Req TLV, Challenge

Basic-Password-Auth-Resp TLV, Response with both
username and password) ->

optional additional exchanges (new pin mode,
password change, etc.) ...

<- Crypto-Binding TLV (Request),
Result TLV (Success),

Crypto-Binding TLV(Response),
Request-Action TLV
(Status=Failure, Action=Process TLV,
TLV=Channel-Binding TLV)->

<- Channel-Binding TLV (Response),
Result TLV (Success),

Result TLV (Success) ->

TLS channel torn down
(messages sent in cleartext)

<- EAP-Success

C.11. PKCS 交换 (PKCS Exchange)

以下交换展示对等方发送 PKCS#10 TLV, 服务器以 PKCS7 TLV 回复. 下方交换假定 EAP 对等方已在 Phase 1 中完成认证, 认证方式可以是双向证书交换, 也可以是其他 TLS 方法, 例如知识证明 (proof of knowledge, TLS-POK). 对话如下:

,----.                                             ,-------.
|Peer| |AuthSrv|
`-+--' `---+---'
| EAP-Request / Identity |
| <- - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response / Identity (MYID1) |
| - - - - - - - - - - - - - - - - - - - - - - - - - >
| |
| EAP-Request/EAP-Type=TEAP, |
| V=1(TEAP Start, |
| S bit set, |
| Authority-ID) |
| <- - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response/EAP-Type=TEAP, |
| V=1(TLS client_hello) |
| - - - - - - - - - - - - - - - - - - - - - - - - - >
| |
| EAP-Request/ EAP-Type=TEAP, |
| V=1(TLS server_hello, |
| TLS certificate, |
| TLS certificate_request, |
| TLS finished) |
| <- - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response/EAP-Type=TEAP, |
| V=1(TLS change_cipher_spec, |
| TLS certificate, |
| TLS finished) TLS channel established |
| - - - - - - - - - - - - - - - - - - - - - - - - - >
| |
| Send Request-Action TLV |
| <- - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| Send PKCS10 TLV |
| - - - - - - - - - - - - - - - - - - - - - - - - - >
| |
| Sign the CSR and send PKCS7 TLV Intermediate-Result|
| TLV request(Success), |
| Crypto-Binding TLV(Request), |
| Result TLV(Success) |
| <- - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| Intermediate-Result TLV response(Success), |
| Crypto-Binding TLV(Response), |
| Result TLV(Success) |
| - - - - - - - - - - - - - - - - - - - - - - - - - >
| |
| EAP Success |
| <- - - - - - - - - - - - - - - - - - - - - - - - - -

C.12. 失败场景 (Failure Scenario)

以下交换展示一个失败场景. 对话如下:

,----.                                                  ,-------.
|Peer| |AuthSrv|
`-+--' `---+---'
| EAP-Request / Identity |
| <- - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response / Identity (MYID1) |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - ->
| |
| EAP-Request/EAP-Type=TEAP, V=1 |
| (TEAP Start, S bit set, Authority-ID) |
| <- - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response/EAP-Type=TEAP, V=1(TLS client_hello) |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - ->
| |
| EAP-Request/ EAP-Type=TEAP, V=1 |
| (TLS server_hello,(TLS change_cipher_spec, TLS finished)|
| <- - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response/EAP-Type=TEAP, V=1 |
| (TLS change_cipher_spec, |
| TLS finished) |
| TLS channel established |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - ->
| |
| Request-Action TLV |
| <- - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| Bad PKCS10 TLV |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - ->
| |
| Intermediate-Result TLV request(Failure), |
| Result TLV(Failure) |
| <- - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| Intermediate-Result TLV response(Failure), |
| Result TLV(Failure) |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - ->
| |
| EAP Failure |
| <- - - - - - - - - - - - - - - - - - - - - - - - - - - -

C.13. Phase 1 中的客户端证书 (Client Certificate in Phase 1)

以下交换展示客户端证书在 Phase 1 中发送, 且 Phase 2 中不执行额外认证或预配的场景. 对话如下:

,----.                                    ,-------.
|Peer| |AuthSrv|
`-+--' `---+---'
| EAP-Request / Identity |
| <- - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response / Identity (MYID1) |
| - - - - - - - - - - - - - - - - - - - - ->
| |
| EAP-Request/EAP-Type=TEAP, |
| V=1(TEAP Start, |
| S bit set, |
| Authority-ID) |
| <- - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response/EAP-Type=TEAP, |
| V=1(TLS client_hello) |
| - - - - - - - - - - - - - - - - - - - - ->
| |
| EAP-Request/ EAP-Type=TEAP, |
| V=1(TLS server_hello, |
| TLS certificate, |
| TLS certificate_request, |
| TLS change_cipher_spec, |
| TLS finished) |
| <- - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response/EAP-Type=TEAP, |
| V=1(TLS certificate, |
| TLS change_cipher_spec, |
| TLS finished) TLS channel established |
| - - - - - - - - - - - - - - - - - - - - ->
| |
| Crypto-Binding TLV(Request), |
| Result TLV(Success) |
| <- - - - - - - - - - - - - - - - - - - - -
| |
| Crypto-Binding TLV(Response), |
| Result TLV(Success) |
| - - - - - - - - - - - - - - - - - - - - ->
| |
| EAP Success |
| <- - - - - - - - - - - - - - - - - - - - -