Forum

The CWSP book errata says that you should change page 263 to include (optional) on the identity portion of the chart. I can't seem to find any documentation that states that this step is optional. Can someone point me in the right direction? Thanks!

GTHill,

From

draft-josefsson-pppext-eap-tls-eap-02.txt Protected EAP Protocol (PEAP)

Section 2.1 states

"The PEAP conversation typically begins with the authenticator and the peer negotiating EAP. The authenticator will typically send an EAP-Request/Identity packet to the peer, and the peer will respond with an EAP-Response/Identity packet to the authenticator, containing the peer's userId."

"Once the optional initial Identity Request/Response exchange is completed, ..."

Since server side authentication occurs first and then user authentication occurs within the established encrypted tunnel it seems unnecessary to initially request the client's identity and wait for its response.

Interestingly, RFC 2716 (EAP-TLS) and the IETF draft for EAP-TTLS also say that the authenticator will typically send an EAP Request/Identity packet but neither explicitly states it is optional as the PEAP draft says.

Another point of interest in the EAP-TTLS draft is the following statement:

"Note that the client does not include the user's actual identity in this EAP-Response/Identity packet; the user's identity will not be transmitted until an encrypted channel has been established."

Maybe someone on this board with broad experience can tell us if they have seen atypical implementations where the EAP-Request/Identity and EAP-Response/Identity are not sent.

Thanks,

moe

Maybe someone on this board with broad experience can tell us if they have seen atypical implementations where the EAPOL-Request/Identity and EAP-Response/Identity are not sent.

I have never seen that however I have seen many times when the EAPOL-START frame is not sent because it is optional. Depending on the supplicant software, you may or may not see the EAP-START frame sent.