| rfc9965v3.txt | rfc9965.txt | |||
|---|---|---|---|---|
| skipping to change at line 627 ¶ | skipping to change at line 627 ¶ | |||
| However, since the device is likely otherwise configured with web CAs | However, since the device is likely otherwise configured with web CAs | |||
| [CAB], the captive portal would also be unauthenticated provisioning | [CAB], the captive portal would also be unauthenticated provisioning | |||
| methods could use those CAs within an EAP method in order to allow | methods could use those CAs within an EAP method in order to allow | |||
| the peer to authenticate the EAP server. Further discussion of this | the peer to authenticate the EAP server. Further discussion of this | |||
| topic is better suited for the specification(s) that define a | topic is better suited for the specification(s) that define a | |||
| particular provisioning method. This issue is not discussed further | particular provisioning method. This issue is not discussed further | |||
| here, other than to say that it is technically possible. | here, other than to say that it is technically possible. | |||
| 4.2. EAP-TLS | 4.2. EAP-TLS | |||
| This document defines an NAI called "portal@tls.eap.arpa", which | This document defines an NAI "portal@tls.eap.arpa", which allows EAP | |||
| allows EAP peers to use unauthenticated EAP-TLS. The purpose of the | peers to use unauthenticated EAP-TLS. The purpose of the identifier | |||
| identifier is to allow EAP peers to signal to EAP servers that they | is to allow EAP peers to signal to EAP servers that they wish to | |||
| wish to obtain "captive portal" network access. | obtain "captive portal" network access. | |||
| This identifier signals to the EAP server that the peer wishes to | This identifier signals to the EAP server that the peer wishes to | |||
| obtain "peer unauthenticated access" as per [RFC5216], Section 2.1.1 | obtain "peer unauthenticated access" as per [RFC5216], Section 2.1.1 | |||
| and [RFC9190]. Note that peer unauthenticated access MUST provide | and [RFC9190]. Note that peer unauthenticated access MUST provide | |||
| for authentication of the EAP server, such as with a server | for authentication of the EAP server, such as with a server | |||
| certificate. Using TLS-PSK with a well-known Pre-Shared Key (PSK) | certificate. Using TLS-PSK with a well-known Pre-Shared Key (PSK) | |||
| value is generally not appropriate, as it would not provide server | value is generally not appropriate, as it would not provide server | |||
| authentication. | authentication. | |||
| An EAP server that agrees to authenticate this request MUST ensure | An EAP server that agrees to authenticate this request MUST ensure | |||
| skipping to change at line 1066 ¶ | skipping to change at line 1066 ¶ | |||
| systems - Local and Metropolitan networks-specific | systems - Local and Metropolitan networks-specific | |||
| requirements - Part II: Wireless LAN Medium Access Control | requirements - Part II: Wireless LAN Medium Access Control | |||
| (MAC) and Physical Layer (PHY) specifications: Amendment | (MAC) and Physical Layer (PHY) specifications: Amendment | |||
| 9: Interworking with External Networks", IEEE Std 802.11u- | 9: Interworking with External Networks", IEEE Std 802.11u- | |||
| 2011, DOI 10.1109/IEEESTD.2011.5721908, 2011, | 2011, DOI 10.1109/IEEESTD.2011.5721908, 2011, | |||
| <https://ieeexplore.ieee.org/document/5721908>. | <https://ieeexplore.ieee.org/document/5721908>. | |||
| [IEEE802.1X] | [IEEE802.1X] | |||
| IEEE, "IEEE Standard for Local and metropolitan area | IEEE, "IEEE Standard for Local and metropolitan area | |||
| networks--Port-Based Network Access Control", IEEE Std | networks--Port-Based Network Access Control", IEEE Std | |||
| 802.1X-2010, DOI 10.1109/IEEESTD.2010.5409813, 2010, | 802.1X-2020, DOI 10.1109/IEEESTD.2020.9018454, 2020, | |||
| <https://ieeexplore.ieee.org/document/5409813>. | <https://ieeexplore.ieee.org/document/5409813>. | |||
| [INSECURE-RADIUS] | [INSECURE-RADIUS] | |||
| DeKok, A., "Deprecating Insecure Practices in RADIUS", | DeKok, A., "Deprecating Insecure Practices in RADIUS", | |||
| Work in Progress, Internet-Draft, draft-ietf-radext- | Work in Progress, Internet-Draft, draft-ietf-radext- | |||
| deprecating-radius-09, 15 March 2026, | deprecating-radius-09, 15 March 2026, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-radext- | <https://datatracker.ietf.org/doc/html/draft-ietf-radext- | |||
| deprecating-radius-09>. | deprecating-radius-09>. | |||
| [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, | |||
| End of changes. 2 change blocks. | ||||
| 5 lines changed or deleted | 5 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||