3.3.5.4.5 Received EAP NAK

  • Article

If the currentState variable is set to WAIT_FOR_CAPABILITIES_RESPONSE, then:

  1. Assign the variable isFragmentationAllowed to FALSE.

  2. Validate the received Identity in an implementation-specific manner. If the Identity validation fails, then prepare an EAP TLV Extensions Method packet (section 2.2.8.1) with Result TLV (section 2.2.8.1.2) (with the value field set to 2). Change the currentState datum to FAILURE_TLV_SENT and proceed to step 5.

  3. If the isSoHEnabled variable is set to TRUE, then prepare an SoH EAP Extensions Method packet with SoH Request TLV within it. Change currentState to WAIT_FOR_SOH_RESPONSE and proceed to step 5.

  4. If isSoHEnabled is set to FALSE, then prepare an EAP Request packet with the Type field set to InnerEapType to start the inner EAP method negotiation as specified in [RFC3748]. Compress the EAP Request packet as specified in section 3.1.5.6. Change currentState to PHASE2_EAP_INPROGRESS.

  5. Send the packet prepared earlier to the TLS layer for encryption using the EncryptMessage method.

  6. Prepare a PEAP packet by keeping the encrypted data returned by the EncryptMessage method as the Data field of PEAP packet. Then send it to the peer (see section 3.1.5.2.2).

If the currentState is set to WAIT_FOR_SOH_RESPONSE, then:

  1. Prepare an EAP Request packet with the Type field set to InnerEapType to start the inner EAP method negotiation as specified in [RFC3748]. Compress the EAP Request packet as specified in section 3.1.5.6. Change currentState to PHASE2_EAP_INPROGRESS.

  2. Encrypt the EAP TLV Extensions Method or EAP Request packet obtained in the preceding step by passing it to the TLS layer using the EncryptMessage method.

  3. Prepare a PEAP packet by keeping the encrypted data returned by the EncryptMessage method as the Data field of PEAP packet. Then send it to the peer (see section 3.1.5.2.2).

If the currentState is set to PHASE2_EAP_INPROGRESS, then:

  1. If the first byte of the Type-Data ([RFC3748] section 5.3.1) field of the EAP NAK packet is present in the innerEAPAuthenticationMethods array, then set that byte as innerEAPType and then obtain the first EAP packet to be sent from the inner EAP method as denoted by innerEAPType. Call the Compress_Encrypt_Send (section 3.1.5.2.3) on the obtained packet.

  2. If the first byte of the Type-Data field of the EAP NAK packet is not present in the innerEAPAuthenticationMethods array, then prepare an EAP TLV Extensions Method packet with Result TLV with the value field set to 2. Change the currentState datum to FAILURE_TLV_SENT and then call the Compress_Encrypt_Send (section 3.1.5.2.3) on the prepared packet.

If currentState is not set to WAIT_FOR_CAPABILITIES_RESPONSE, PHASE2_EAP_INPROGRESS, or WAIT_FOR_SOH_RESPONSE, then the packet is ignored.