附录 C. 示例 (Examples)
本附录给出若干 TEAP 消息交换示例. 示例中的协议名, 字段名, TLV 名称, EAP 类型, TLS 消息名, 示例身份和状态值均保持原样.
C.1. 成功认证 (Successful Authentication)
以下交换展示使用基本密码认证的成功 TEAP 认证. 对话如下:
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
(TLS change_cipher_spec,
TLS finished)
EAP-Response/
EAP-Type=TEAP, V=1 ->
(TLS change_cipher_spec,
TLS finished)
TLS channel established
(messages sent within the TLS channel)
<- Basic-Password-Auth-Req TLV, Challenge
Basic-Password-Auth-Resp TLV, Response with both
username and password) ->
optional additional exchanges (new pin mode,
password change, etc.) ...
<- Intermediate-Result TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)
Intermediate-Result TLV (Success),
Crypto-Binding TLV(Response),
Result TLV (Success) ->
TLS channel torn down
(messages sent in cleartext)
<- EAP-Success
C.2. 认证失败 (Failed Authentication)
以下交换展示由于用户凭据错误而失败的 TEAP 认证. 对话如下:
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
(TLS change_cipher_spec,
TLS finished)
EAP-Response/
EAP-Type=TEAP, V=1 ->
(TLS change_cipher_spec,
TLS finished)
TLS channel established
(messages sent within the TLS channel)
<- Basic-Password-Auth-Req TLV, Challenge
Basic-Password-Auth-Resp TLV, Response with both
username and password) ->
<- Intermediate-Result TLV (Failure),
Result TLV (Failure)
Intermediate-Result TLV (Failure),
Result TLV (Failure) ->
TLS channel torn down
(messages sent in cleartext)
<- EAP-Failure
C.3. 使用基于证书的密码套件进行完整 TLS 握手 (Full TLS Handshake Using Certificate-Based Cipher Suite)
在 TEAP Phase 1 中尝试缩略 TLS 握手但失败, 并回退到基于证书的完整 TLS 握手时, 对话如下:
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID1) ->
// Identity sent in the clear. May be a hint to help route
the authentication request to EAP server, instead of the
full user identity.
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello with
SessionTicket extension)->
// If the server rejects the session resumption,
it falls through to the full TLS handshake.
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
EAP-Payload TLV[EAP-Request/
Identity])
// TLS channel established
(messages sent within the TLS channel)
// First EAP Payload TLV is coalesced with the TLS Finished as
Application Data and protected by the TLS tunnel.
EAP-Payload TLV
[EAP-Response/Identity (MyID2)]->
// identity protected by TLS.
<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]
EAP-Payload TLV
[EAP-Response/EAP-Type=X] ->
// Method X exchanges followed by Protected Termination
<- Intermediate-Result TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)
Intermediate-Result TLV (Success),
Crypto-Binding TLV (Response),
Result TLV (Success) ->
// TLS channel torn down
(messages sent in cleartext)
<- EAP-Success
C.4. Phase 1 中带身份隐私的客户端认证 (Client Authentication During Phase 1 with Identity Privacy)
当 TEAP Phase 1 中发生基于证书的 TLS 握手, 并且需要客户端证书认证和身份隐私时, 会使用 TLS renegotiation 在受保护 TLS 隧道中传输对等方凭据. 对于 TLS 1.2, 对话如下:
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID1) ->
// Identity sent in the clear. May be a hint to help route
the authentication request to EAP server, instead of the
full user identity.
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_key_exchange,
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
EAP-Payload TLV[EAP-Request/
Identity])
// TLS channel established
(EAP Payload messages sent within the TLS channel)
// peer sends TLS client_hello to request TLS renegotiation
TLS client_hello ->
<- TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done
[TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished ->
<- TLS change_cipher_spec,
TLS finished,
Crypto-Binding TLV (Request),
Result TLV (Success)
Crypto-Binding TLV (Response),
Result TLV (Success)) ->
//TLS channel torn down
(messages sent in cleartext)
<- EAP-Success
C.5. 分片和重组 (Fragmentation and Reassembly)
当需要 TEAP 分片时, 对话如下:
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
(Fragment 1: L, M bits set)
EAP-Response/
EAP-Type=TEAP, V=1 ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(Fragment 2: M bit set)
EAP-Response/
EAP-Type=TEAP, V=1 ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(Fragment 3)
EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished)
(Fragment 1: L, M bits set)->
<- EAP-Request/
EAP-Type=TEAP, V=1
EAP-Response/
EAP-Type=TEAP, V=1
(Fragment 2)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
[EAP-Payload TLV[
EAP-Request/Identity]])
// TLS channel established
(messages sent within the TLS channel)
// First EAP Payload TLV is coalesced with the TLS Finished as
Application Data and protected by the TLS tunnel.
EAP-Payload TLV
[EAP-Response/Identity (MyID2)]->
// identity protected by TLS.
<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]
EAP-Payload TLV
[EAP-Response/EAP-Type=X] ->
// Method X exchanges followed by Protected Termination
<- Intermediate-Result TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)
Intermediate-Result TLV (Success),
Crypto-Binding TLV (Response),
Result TLV (Success) ->
// TLS channel torn down
(messages sent in cleartext)
<- EAP-Success
C.6. EAP 方法序列 (Sequence of EAP Methods)
当 TEAP 协商为先执行 EAP method X, 再执行 method Y 的序列时, 对话如下:
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
Identity-Type TLV,
EAP-Payload TLV[
EAP-Request/Identity])
// TLS channel established
(messages sent within the TLS channel)
// First EAP Payload TLV is coalesced with the TLS Finished as
Application Data and protected by the TLS tunnel
Identity_Type TLV
EAP-Payload TLV
[EAP-Response/Identity] ->
<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]
EAP-Payload TLV
[EAP-Response/EAP-Type=X] ->
// Optional additional X Method exchanges...
<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]
EAP-Payload TLV
[EAP-Response/EAP-Type=X]->
<- Intermediate Result TLV (Success),
Crypto-Binding TLV (Request),
Identity-Type TLV,
EAP-Payload TLV[
EAP-Request/Identity])
// Compound MAC calculated using keys generated from
EAP method X and the TLS tunnel.
// Next EAP conversation started (with EAP-Request/Identity)
after successful completion of previous method X. The
Intermediate-Result and Crypto-Binding TLVs are sent in
the next packet to minimize round trips.
Intermediate Result TLV (Success),
Crypto-Binding TLV (Response),
EAP-Payload TLV [EAP-Response/Identity (MyID2)] ->
// Optional additional EAP method Y exchanges...
<- EAP Payload TLV [
EAP-Type=Y]
EAP Payload TLV
[EAP-Type=Y] ->
<- Intermediate-Result TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)
Intermediate-Result TLV (Success),
Crypto-Binding TLV (Response),
Result TLV (Success) ->
// Compound MAC calculated using keys generated from EAP
methods X and Y and the TLS tunnel. Compound keys are
generated using keys generated from EAP methods X and Y
and the TLS tunnel.
// TLS channel torn down (messages sent in cleartext)
<- EAP-Success
C.7. 密码绑定失败 (Failed Crypto-Binding)
以下交换展示密码绑定验证失败的情况. 对话如下:
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS Server Key Exchange
TLS Server Hello Done)
EAP-Response/
EAP-Type=TEAP, V=1 ->
(TLS Client Key Exchange
TLS change_cipher_spec,
TLS finished)
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec
TLS finished)
EAP-Payload TLV[
EAP-Request/Identity])
// TLS channel established
(messages sent within the TLS channel)
// First EAP Payload TLV is coalesced with the TLS Finished as
Application Data and protected by the TLS tunnel.
EAP-Payload TLV/
EAP Identity Response ->
<- EAP Payload TLV, EAP-Request,
(EAP-FAST-MSCHAPV2, Challenge)
EAP Payload TLV, EAP-Response,
(EAP-FAST-MSCHAPV2, Response) ->
<- EAP Payload TLV, EAP-Request,
(EAP-FAST-MSCHAPV2, Success Request)
EAP Payload TLV, EAP-Response,
(EAP-FAST-MSCHAPV2, Success Response) ->
<- Intermediate-Result TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)
Intermediate-Result TLV (Success),
Result TLV (Failure)
Error TLV with
(Error Code = 2001) ->
// TLS channel torn down
(messages sent in cleartext)
<- EAP-Failure
C.8. 带 Vendor-Specific TLV 交换的 EAP 方法序列 (Sequence of EAP Method with Vendor-Specific TLV Exchange)
当 TEAP 协商为一系列 EAP 方法后接 Vendor-Specific TLV 交换时, 对话如下:
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=TEAP, V=1
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
EAP-Payload TLV[
EAP-Request/Identity])
// TLS channel established
(messages sent within the TLS channel)
// First EAP Payload TLV is coalesced with the TLS Finished as
Application Data and protected by the TLS tunnel.
EAP-Payload TLV
[EAP-Response/Identity] ->
<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]
EAP-Payload TLV
[EAP-Response/EAP-Type=X] ->
<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]
EAP-Payload TLV
[EAP-Response/EAP-Type=X]->
<- Intermediate Result TLV (Success),
Crypto-Binding TLV (Request),
Vendor-Specific TLV,
// Vendor-Specific TLV exchange started after successful
completion of previous method X. The Intermediate-Result
and Crypto-Binding TLVs are sent with Vendor-Specific TLV
in next packet to minimize round trips.
// Compound MAC calculated using keys generated from
EAP method X and the TLS tunnel.
Intermediate Result TLV (Success),
Crypto-Binding TLV (Response),
Vendor-Specific TLV ->
// Optional additional Vendor-Specific TLV exchanges...
<- Vendor-Specific TLV
Vendor-Specific TLV ->
<- Result TLV (Success)
Result TLV (Success) ->
// TLS channel torn down (messages sent in cleartext)
<- EAP-Success
C.9. 服务器发送 Result TLV 后对等方请求内部方法 (Peer Requests Inner Method After Server Sends Result TLV)
当对等方已在 Phase 1 中完成认证, 且服务器返回 Result TLV, 但对等方希望请求另一个 Inner Method 时, 对话如下:
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID1) ->
// Identity sent in the clear. May be a hint to help route
the authentication request to EAP server, instead of the
full user identity. TLS client certificate is also sent.
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello)->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=TEAP, V=1
[TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS change_cipher_spec,
TLS finished,
Crypto-Binding TLV (Request),
Result TLV (Success))
// TLS channel established
(TLV Payload messages sent within the TLS channel)
Crypto-Binding TLV(Response),
Request-Action TLV
(Status=Failure, Action=Negotiate-EAP)->
<- EAP-Payload TLV
[EAP-Request/Identity]
EAP-Payload TLV
[EAP-Response/Identity] ->
<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]
EAP-Payload TLV
[EAP-Response/EAP-Type=X] ->
<- EAP-Payload TLV
[EAP-Request/EAP-Type=X]
EAP-Payload TLV
[EAP-Response/EAP-Type=X]->
<- Intermediate Result TLV (Success),
Crypto-Binding TLV (Request),
Result TLV (Success)
Intermediate Result TLV (Success),
Crypto-Binding TLV (Response),
Result TLV (Success)) ->
// TLS channel torn down
(messages sent in cleartext)
<- EAP-Success
C.10. 信道绑定 (Channel Binding)
以下交换展示使用基本密码认证和通过 Request-Action TLV 进行信道绑定的成功 TEAP 认证. 对话如下:
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID1) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TEAP Start, S bit set, Authority-ID)
EAP-Response/
EAP-Type=TEAP, V=1
(TLS client_hello) ->
<- EAP-Request/
EAP-Type=TEAP, V=1
(TLS server_hello,
(TLS change_cipher_spec,
TLS finished)
EAP-Response/
EAP-Type=TEAP, V=1 ->
(TLS change_cipher_spec,
TLS finished)
TLS channel established
(messages sent within the TLS channel)
<- Basic-Password-Auth-Req TLV, Challenge
Basic-Password-Auth-Resp TLV, Response with both
username and password) ->
optional additional exchanges (new pin mode,
password change, etc.) ...
<- Crypto-Binding TLV (Request),
Result TLV (Success),
Crypto-Binding TLV(Response),
Request-Action TLV
(Status=Failure, Action=Process TLV,
TLV=Channel-Binding TLV)->
<- Channel-Binding TLV (Response),
Result TLV (Success),
Result TLV (Success) ->
TLS channel torn down
(messages sent in cleartext)
<- EAP-Success
C.11. PKCS 交换 (PKCS Exchange)
以下交换展示对等方发送 PKCS#10 TLV, 服务器以 PKCS7 TLV 回复. 下方交换假定 EAP 对等方已在 Phase 1 中完成认证, 认证方式可以是双向证书交换, 也可以是其他 TLS 方法, 例如知识证明 (proof of knowledge, TLS-POK). 对话如下:
,----. ,-------.
|Peer| |AuthSrv|
`-+--' `---+---'
| EAP-Request / Identity |
| <- - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response / Identity (MYID1) |
| - - - - - - - - - - - - - - - - - - - - - - - - - >
| |
| EAP-Request/EAP-Type=TEAP, |
| V=1(TEAP Start, |
| S bit set, |
| Authority-ID) |
| <- - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response/EAP-Type=TEAP, |
| V=1(TLS client_hello) |
| - - - - - - - - - - - - - - - - - - - - - - - - - >
| |
| EAP-Request/ EAP-Type=TEAP, |
| V=1(TLS server_hello, |
| TLS certificate, |
| TLS certificate_request, |
| TLS finished) |
| <- - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response/EAP-Type=TEAP, |
| V=1(TLS change_cipher_spec, |
| TLS certificate, |
| TLS finished) TLS channel established |
| - - - - - - - - - - - - - - - - - - - - - - - - - >
| |
| Send Request-Action TLV |
| <- - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| Send PKCS10 TLV |
| - - - - - - - - - - - - - - - - - - - - - - - - - >
| |
| Sign the CSR and send PKCS7 TLV Intermediate-Result|
| TLV request(Success), |
| Crypto-Binding TLV(Request), |
| Result TLV(Success) |
| <- - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| Intermediate-Result TLV response(Success), |
| Crypto-Binding TLV(Response), |
| Result TLV(Success) |
| - - - - - - - - - - - - - - - - - - - - - - - - - >
| |
| EAP Success |
| <- - - - - - - - - - - - - - - - - - - - - - - - - -
C.12. 失败场景 (Failure Scenario)
以下交换展示一个失败场景. 对话如下:
,----. ,-------.
|Peer| |AuthSrv|
`-+--' `---+---'
| EAP-Request / Identity |
| <- - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response / Identity (MYID1) |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - ->
| |
| EAP-Request/EAP-Type=TEAP, V=1 |
| (TEAP Start, S bit set, Authority-ID) |
| <- - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response/EAP-Type=TEAP, V=1(TLS client_hello) |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - ->
| |
| EAP-Request/ EAP-Type=TEAP, V=1 |
| (TLS server_hello,(TLS change_cipher_spec, TLS finished)|
| <- - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response/EAP-Type=TEAP, V=1 |
| (TLS change_cipher_spec, |
| TLS finished) |
| TLS channel established |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - ->
| |
| Request-Action TLV |
| <- - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| Bad PKCS10 TLV |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - ->
| |
| Intermediate-Result TLV request(Failure), |
| Result TLV(Failure) |
| <- - - - - - - - - - - - - - - - - - - - - - - - - - - -
| |
| Intermediate-Result TLV response(Failure), |
| Result TLV(Failure) |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - ->
| |
| EAP Failure |
| <- - - - - - - - - - - - - - - - - - - - - - - - - - - -
C.13. Phase 1 中的客户端证书 (Client Certificate in Phase 1)
以下交换展示客户端证书在 Phase 1 中发送, 且 Phase 2 中不执行额外认证或预配的场景. 对话如下:
,----. ,-------.
|Peer| |AuthSrv|
`-+--' `---+---'
| EAP-Request / Identity |
| <- - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response / Identity (MYID1) |
| - - - - - - - - - - - - - - - - - - - - ->
| |
| EAP-Request/EAP-Type=TEAP, |
| V=1(TEAP Start, |
| S bit set, |
| Authority-ID) |
| <- - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response/EAP-Type=TEAP, |
| V=1(TLS client_hello) |
| - - - - - - - - - - - - - - - - - - - - ->
| |
| EAP-Request/ EAP-Type=TEAP, |
| V=1(TLS server_hello, |
| TLS certificate, |
| TLS certificate_request, |
| TLS change_cipher_spec, |
| TLS finished) |
| <- - - - - - - - - - - - - - - - - - - - -
| |
| EAP-Response/EAP-Type=TEAP, |
| V=1(TLS certificate, |
| TLS change_cipher_spec, |
| TLS finished) TLS channel established |
| - - - - - - - - - - - - - - - - - - - - ->
| |
| Crypto-Binding TLV(Request), |
| Result TLV(Success) |
| <- - - - - - - - - - - - - - - - - - - - -
| |
| Crypto-Binding TLV(Response), |
| Result TLV(Success) |
| - - - - - - - - - - - - - - - - - - - - ->
| |
| EAP Success |
| <- - - - - - - - - - - - - - - - - - - - -