On Mar 13, 2024, at 9:51 AM, Michael Richardson <mcr+i...@sandelman.ca> wrote: >>> I don't think it's that straight forward. For Enterprise-WiFi we >>> still need cryptographic keys for the WiFi 4-way handshake, so >>> establishing a TLS-Tunnel is needed to derive the WPA keys.
We also need it for MacSec on wired connections. Perhaps the document should be updated to say it SHOULD run a method which derives MSK and EMSK, and MUST NOT simple return an EAP Success. > Doing this is significantly better than either unencrypted wifi (w/portal), > or encrypted WPA-PSK wifi. > > So yes, we always want to run EAP-TLS to generate keys. > This document is related to > https://datatracker.ietf.org/doc/draft-richardson-emu-eap-onboarding/, (which > I'll repost on Saturday), but modularizes the work into smaller pieces. EAP-TLS has had peer unauthenticated mode since 2008 (RFC 5216 Section 2.1.1). But there's been no way to actually use it. Hopefully this set of documents will address that issue. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
