Appendix A. Examples In the following examples the version field in EAP Fast is always assumed to be 1. The S, M, and L bits are assumed to be 0 unless otherwise specified. A.1. Successful Authentication The following exchanges show a successful EAP-FAST authentication with optional PACrefreshment,refreshment; the conversation will appear as follows: Authenticating Peer Authenticator ------------------- ------------- <- EAP-Request/ Identity EAP-Response/ Identity (MyID1) -> <-EAP-Request/ EAP-Type=EAP-FAST, V=1 (EAP-FAST Start, S bit set,EAP-Request/EAP-FAST (S=1, A-ID)EAP-Response/ EAP-Type=EAP-FAST, V=1EAP-Response/EAP-FAST (TLS client_hello with PAC-Opaque in SessionTicket extension)-> <-EAP-Request/ EAP-Type=EAP-FAST, V=1EAP-Request/EAP-FAST (TLS server_hello,(TLSTLS change_cipher_spec, TLS finished)EAP-Response/ EAP-Type=EAP-FAST, V=1 ->EAP-Response/EAP-FAST (TLS change_cipher_spec, TLS finished) -> TLS channel established(messages(Subsequent messages sent within the TLSchannel)channel, encapsulated within EAP-FAST) <- EAP PayloadTLV, EAP-Request, EAP-GTC, ChallengeTLV (EAP-Request/EAP-GTC(Challenge)) EAP PayloadTLV, EAP-Response, EAP-GTC, ResponseTLV (EAP-Response/ EAP-GTC(Response with both user name andpassword)password)) -> optional additional exchanges (new pin mode, password change etc.) ... <- Intermediate-Result TLV (Success) Crypto-Binding TLV (Request) Intermediate-Result TLV (Success) Crypto-Binding TLV(Response) -> <- Result TLV (Success)(Optional[Optional PACTLV)TLV] Result TLV (Success)(PAC[PAC TLVAcknowledgment)Acknowledgment] -> TLS channel torn down (messages sent in clear text) <- EAP-Success A.2. Failed Authentication The following exchanges show a failed EAP-FAST authentication due to wrong usercredentials,credentials; the conversation will appear as follows: Authenticating Peer Authenticator ------------------- ------------- <- EAP-Request/ Identity EAP-Response/ Identity (MyID1) -> <-EAP-Request/ EAP-Type=EAP-FAST, V=1 (EAP-FAST Start, S bit set,EAP-Request/EAP-FAST (S=1, A-ID)EAP-Response/ EAP-Type=EAP-FAST, V=1EAP-Response/EAP-FAST (TLS client_hello with PAC-Opaque in SessionTicket extension)-> <-EAP-Request/ EAP-Type=EAP-FAST, V=1EAP-Request/EAP-FAST (TLS server_hello,(TLSTLS change_cipher_spec, TLS finished)EAP-Response/ EAP-Type=EAP-FAST, V=1 ->EAP-Response/EAP-FAST (TLS change_cipher_spec, TLS finished) -> TLS channel established(messages(Subsequent messages sent within the TLSchannel)channel, encapsulated within EAP-FAST) <- EAP PayloadTLV, EAP-Request, EAP-GTC, ChallengeTLV (EAP-Request/ EAP-GTC (Challenge)) EAP PayloadTLV, EAP-Response, EAP-GTC, ResponseTLV (EAP-Response/ EAP-GTC (Response with both user name andpassword)password)) -> <- EAP PayloadTLV, EAP-Request, EAP-GTC, error messageTLV (EAP-Request/ EAP-GTC (error message)) EAP PayloadTLV, EAP-Response, EAP-GTC, emptyTLV (EAP-Response/ EAP-GTC (empty data packet to acknowledge unrecoverableerror)error)) -> <- Result TLV (Failure) Result TLV (Failure) -> TLS channel torn down (messages sent in clear text) <- EAP-Failure A.3. Full TLS Handshake using Certificate-basedCipher SuiteCiphersuite In the case where an abbreviated TLS handshake is tried andfailedfailed, andfalls backa fallback tocertificate basedcertificate-based full TLS handshake occurs within EAP-FAST Phase 1, the conversation will appear as follows: Authenticating Peer Authenticator ------------------- ------------- <- EAP-Request/Identity EAP-Response/ Identity (MyID1) -> // Identity sent in the clear. May be a hint to help route the authentication request to EAP server, instead of the full user identity. <-EAP-Request/ EAP-Type=EAP-FAST, V=1 (EAP-FAST Start, S bit set,EAP-Request/EAP-FAST (S=1, A-ID)EAP-Response/ EAP-Type=EAP-FAST, V=1EAP-Response/EAP-FAST (TLS client_hello[PAC-Opaque extension])->with PAC-Opaque extension)-> // Peer sends PAC-Opaque of Tunnel PAC along with a list of ciphersuites supported. IfServerthe server rejects the PAC- Opaque,ifit falls through to the full TLS handshake <-EAP-Request/ EAP-Type=EAP-FAST, V=1EAP-Request/EAP-FAST (TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,] TLS server_hello_done)EAP-Response/ EAP-Type=EAP-FAST, V=1EAP-Response/EAP-FAST ([TLS certificate,] TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLS finished) -> <-EAP-Request/ EAP-Type=EAP-FAST, V=1EAP-Request/EAP-FAST (TLS change_cipher_spec, TLS finished,EAP-Payload-TLV[EAP-Request/ Identity])EAP-Payload-TLV (EAP-Request/Identity)) // TLS channel established(messages(Subsequent messages sent within the TLSchannel)channel, encapsulated within EAP-FAST) // First EAP Payload TLV is piggybacked to the TLS Finished as Application Data and protected by the TLS tunnel EAP-Payload-TLV[EAP-Response/Identity (MyID2)]->(EAP-Response/Identity (MyID2))-> // identity protected by TLS. <- EAP-Payload-TLV[EAP-Request/EAP-Type=X](EAP-Request/Method X) EAP-Payload-TLV[EAP-Response/EAP-Type=X](EAP-Response/Method X) -> // Method X exchanges followed by Protected Termination <- Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), Result TLV (Success) Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), Result-TLV (Success) -> // TLS channel torn down (messages sent in clear text) <- EAP-Success A.4. ClientauthenticationAuthentication during Phase 1 withidentity privacyIdentity Privacy In the case where a certificate based TLS handshake occurs within EAP-FAST Phase 1, and client certificate authentication and identity privacy is desired, the conversation will appear as follows: Authenticating Peer Authenticator ------------------- ------------- <- EAP-Request/Identity EAP-Response/ Identity (MyID1) -> // Identity sent in the clear. May be a hint to help route the authentication request to EAP server, instead of the full user identity. <-EAP-Request/ EAP-Type=EAP-FAST, V=1 (EAP-FAST Start, S bit set,EAP-Request/EAP-FAST (S=1, A-ID)EAP-Response/ EAP-Type=EAP-FAST, V=1EAP-Response/EAP-FAST (TLS client_hello)-> <-EAP-Request/ EAP-Type=EAP-FAST, V=1EAP-Request/EAP-FAST (TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,] TLS server_hello_done)EAP-Response/ EAP-Type=EAP-FAST, V=1EAP-Response/EAP-FAST (TLS client_key_exchange, TLS change_cipher_spec, TLS finished) -> <-EAP-Request/ EAP-Type=EAP-FAST, V=1EAP-Request/EAP-FAST (TLS change_cipher_spec, TLS finished,TLS Hello-Request) // TLS channel established(messages(Subsequent messages sent within the TLSchannel)channel, encapsulated within EAP-FAST) // TLS Hello-Request is piggybacked to the TLS Finished as Handshake Data and protected by the TLS tunnel // Subsequent messages are protected by the TLSclient_helloTunnel EAP-Response/EAP-FAST (TLS client_hello) -> <-TLSEAP-Request/EAP-FAST (TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,] TLSserver_hello_done [TLSserver_hello_done) EAP-Response/EAP-FAST ([TLS certificate,] TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLSfinishedfinished) -> <-TLSEAP-Request/EAP-FAST (TLS change_cipher_spec, TLS finished, Result TLV(Success) Result-TLV(Success)) EAP-Response/EAP-FAST (Result-TLV (Success)) -> //TLS channel torn down (messages sent in clear text) <- EAP-Success A.5. Fragmentation and Reassembly In the case where EAP-FAST fragmentation is required, the conversation will appear as follows: Authenticating Peer Authenticator ------------------- ------------- <- EAP-Request/ Identity EAP-Response/ Identity (MyID) -> <-EAP-Request/ EAP-Type=EAP-FAST, V=1 (EAP-FAST Start, S bit set,EAP-Request/EAP-FAST (S=1, A-ID)EAP-Response/ EAP-Type=EAP-FAST, V=1EAP-Response/EAP-FAST (TLS client_hello)-> <-EAP-Request/ EAP-Type=EAP-FAST, V=1 (TLSEAP-Request/EAP-FAST (L=1,M=1, TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLScertificate_request,] TLS server_hello_done) (Fragment 1: L, M bits set) EAP-Response/ EAP-Type=EAP-FAST, V=1certificate_request,]) EAP-Response/EAP-FAST -> <-EAP-Request/ EAP-Type=EAP-FAST, V=1 (Fragment 2: M bit set) EAP-Response/ EAP-Type=EAP-FAST, V=1EAP-Request/EAP-FAST (M=1, [TLS certificate_request(con't),]) EAP-Response/EAP-FAST -> <-EAP-Request/ EAP-Type=EAP-FAST, V=1 (Fragment 3) EAP-Response/ EAP-Type=EAP-FAST, V=1EAP-Request/EAP-FAST ([TLScertificate,]certificate_request(con't),] TLS server_hello_done) EAP-Response/EAP-FAST, (L=1,M=1,[TLS certificate,])-> <- EAP-Request/EAP-FAST EAP-Response/EAP-FAST ([TLS certificate(con't),] TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLSfinished) (Fragment 1: L, M bits set)->finished))-> <-EAP-Request/ EAP-Type=EAP-FAST, V=1 EAP-Response/ EAP-Type=EAP-FAST, V=1 (Fragment 2)-> <- EAP-Request/ EAP-Type=EAP-FAST, V=1 (TLSEAP-Request/EAP-FAST ( TLS change_cipher_spec, TLS finished,[EAP-Payload-TLV[ EAP-Request/Identity]])EAP-Payload-TLV (EAP-Request/Identity)) // TLS channel established(messages(Subsequent messages sent within the TLSchannel)channel, encapsulated within EAP-FAST) // First EAP Payload TLV is piggybacked to the TLS Finished as Application Data and protected by the TLS tunnel EAP-Payload-TLV[EAP-Response/Identity (MyID2)]->(EAP-Response/Identity (MyID2))-> // identity protected by TLS. <- EAP-Payload-TLV[EAP-Request/EAP-Type=X](EAP-Request/Method X) EAP-Payload-TLV[EAP-Response/EAP-Type=X](EAP-Response/Method X) -> // Method X exchanges followed by Protected Termination <- Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), Result TLV (Success) Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), Result-TLV (Success) -> // TLS channel torn down (messages sent in clear text) <- EAP-Success A.6. Sequence of EAP Methods Where EAP-FAST is negotiated, with a sequence of EAP method X followed by method Y, the conversation will occur as follows: Authenticating Peer Authenticator ------------------- ------------- <- EAP-Request/ Identity EAP-Response/ Identity (MyID1) -> <-EAP-Request/ EAP-Type=EAP-FAST, V=1 (EAP-FAST Start, S bit set,EAP-Request/EAP-FAST (S=1, A-ID)EAP-Response/ EAP-Type=EAP-FAST, V=1EAP-Response/EAP-FAST (TLS client_hello)-> <-EAP-Request/ EAP-Type=EAP-FAST, V=1EAP-Request/EAP-FAST (TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,] TLS server_hello_done)EAP-Response/ EAP-Type=EAP-FAST, V=1EAP-Response/EAP-FAST ([TLS certificate,] TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLS finished) -> <-EAP-Request/ EAP-Type=EAP-FAST, V=1EAP-Request/EAP-FAST (TLS change_cipher_spec, TLS finished,EAP-Payload-TLV[ EAP-Request/Identity])EAP-Payload-TLV( EAP-Request/Identity)) // TLS channel established(messages(Subsequent messages sent within the TLSchannel)channel, encapsulated within EAP-FAST) // First EAP Payload TLV is piggybacked to the TLS Finished as Application Data and protected by the TLS tunnel EAP-Payload-TLV[EAP-Response/Identity](EAP-Response/Identity) -> <- EAP-Payload-TLV[EAP-Request/EAP-Type=X](EAP-Request/Method X) EAP-Payload-TLV[EAP-Response/EAP-Type=X](EAP-Response/Method X) -> // Optional additional X Method exchanges... <- EAP-Payload-TLV[EAP-Request/EAP-Type=X](EAP-Request/Mehtod X) EAP-Payload-TLV[EAP-Response/EAP-Type=X]->(EAP-Response/EAP-Type X)-> <- Intermediate Result TLV (Success), Crypto-Binding TLV (Version=1 EAP-FAST Version=1, Nonce, CompoundMAC), EAP Payload TLV[EAP-Type=Y],(EAP-Request/Mehtod Y) // Next EAP conversation started after successful completion of previous method X. The Intermediate-Result and Crypto- Binding TLVs are sent innextthis packet to minimize round- trips. In this example, identity request is not sent before negotiating EAP-Type=Y. // Compound MAC calculated using Keys generated from EAP methods X and the TLS tunnel. Intermediate Result TLV (Success), Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), EAP-Payload-TLV[EAP-Type=Y](EAP-Response/Method Y) -> // Optional additional Y Method exchanges... <- EAP Payload TLV[ EAP-Type=Y](EAP-Request/Method Y) EAP Payload TLV[EAP-Type=Y](EAP-Response/Method Y) -> <- Intermediate-Result-TLV (Success), Crypto-Binding TLV (Version=1 EAP-FAST Version=1, Nonce, CompoundMAC), Result TLV (Success) Intermediate-Result-TLV (Success), Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), Result-TLV (Success) -> // Compound MAC calculated using Keys generated from EAP methods X and Y and the TLS tunnel. Compound Keys generated using Keys generated from EAP methods X and Y; and the TLS tunnel. // TLS channel torn down (messages sent in clear text) <- EAP-Success A.7. FailedCrypto-bindingCrypto-Binding The following exchanges show a failed crypto-binding validation. The conversation will appear as follows: Authenticating Peer Authenticator ------------------- ------------- <- EAP-Request/ Identity EAP-Response/ Identity (MyID1) -> <-EAP-Request/ EAP-Type=EAP-FAST, V=1 (EAP-FAST Start, S bit set,EAP-Request/EAP-FAST (S=1, A-ID)EAP-Response/ EAP-Type=EAP-FAST, V=1EAP-Response/EAP-FAST (TLS client_hello without PAC-Opaque extension)-> <-EAP-Request/ EAP-Type=EAP-FAST, V=1EAP-Request/EAP-FAST (TLS Server KeyExchangeExchange, TLS Server Hello Done)EAP-Response/ EAP-Type=EAP-FAST, V=1 ->EAP-Response/EAP-FAST (TLS Client KeyExchangeExchange, TLS change_cipher_spec, TLSfinished)finished)-> <-EAP-Request/ EAP-Type=EAP-FAST, V=1EAP-Request/EAP-FAST (TLSchange_cipher_specchange_cipher_spec, TLS finished)EAP-Payload-TLV[ EAP-Request/Identity])EAP-Payload-TLV( EAP-Request/Identity)) // TLS channel established (messages sent within the TLS channel) // First EAP Payload TLV is piggybacked to the TLS Finished as Application Data and protected by the TLS tunnel EAP-PayloadTLV/ EAP Identity ResponseTLV (EAP-Response/Identity) -> <- EAP PayloadTLV, EAP-Request, (EAP-MSCHAPV2, Challenge)TLV (EAP-Request/ EAP-MSCHAPV2 (Challenge)) EAP PayloadTLV, EAP-Response, (EAP-MSCHAPV2, Response)TLV (EAP-Response/ EAP-MSCHAPV2 (Response)) -> <- EAP PayloadTLV, EAP-Request, (EAP-MSCHAPV2, Success Request)TLV (EAP-Request/ EAP-MSCHAPV2 (Success Request)) EAP PayloadTLV, EAP-Response, (EAP-MSCHAPV2, Success Response)TLV (EAP-Response/ EAP-MSCHAPV2 (Success Response)) -> <- Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), Result TLV (Success) Result TLV(Failure)(Failure), Error TLVwith(Error Code = 2001) -> // TLS channel torn down (messages sent in clear text) <- EAP-Failure A.8. Sequence of EAP Method with Vendor-Specific TLV Exchange Where EAP-FAST is negotiated, with a sequence of EAP method followed by Vendor-Specific TLV exchange, the conversation will occur as follows: Authenticating Peer Authenticator ------------------- ------------- <- EAP-Request/ Identity EAP-Response/ Identity (MyID1) -> <-EAP-Request/ EAP-Type=EAP-FAST, V=1 (EAP-FAST Start, S bit set,EAP-Request/EAP-FAST (S=1, A-ID)EAP-Response/ EAP-Type=EAP-FAST, V=1EAP-Response/EAP-FAST (TLS client_hello)-> <-EAP-Request/ EAP-Type=EAP-FAST, V=1EAP-Request/EAP-FAST (TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,] TLS server_hello_done)EAP-Response/ EAP-Type=EAP-FAST, V=1EAP-Response/EAP-FAST ([TLS certificate,] TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLS finished) -> <-EAP-Request/ EAP-Type=EAP-FAST, V=1EAP-Request/EAP-FAST (TLS change_cipher_spec, TLS finished,EAP-Payload-TLV[ EAP-Request/Identity])EAP-Payload-TLV (EAP-Request/Identity)) // TLS channel established(messages(Subsequent messages sent within the TLSchannel)channel, encapsulated within EAP-FAST) // First EAP Payload TLV is piggybacked to the TLS Finished as Application Data and protected by the TLS tunnel EAP-Payload-TLV[EAP-Response/Identity](EAP-Response/Identity) -> <- EAP-Payload-TLV[EAP-Request/EAP-Type=X](EAP-Request/Method X) EAP-Payload-TLV[EAP-Response/EAP-Type=X](EAP-Response/Method X) -> <- EAP-Payload-TLV[EAP-Request/EAP-Type=X](EAP-Request/Method X) EAP-Payload-TLV[EAP-Response/EAP-Type=X]->(EAP-Response/Method X)-> <- Intermediate Result TLV (Success), Crypto-Binding TLV (Version=1 EAP-FAST Version=1, Nonce, CompoundMAC), Vendor-SpecificTLV,TLV // Vendor Specific TLV exchange started after successful completion of previous method X. The Intermediate-Result and Crypto-Binding TLVs are sent with Vendor Specific TLV innextthis packet to minimize round-trips. // Compound MAC calculated using Keys generated from EAP methods X and the TLS tunnel. Intermediate Result TLV (Success), Crypto-Binding TLV (Version=1, EAP-FAST Version=1, Nonce, CompoundMAC), Vendor-Specific TLV -> // Optional additional Vendor-Specific TLV exchanges... <- Vendor-Specific TLV Vendor Specific TLV -> <- Result TLV (Success) Result-TLV (Success) -> // TLS channel torn down (messages sent in clear text) <- EAP-Success