3.2.5.4.2 Received PEAP Request

  • Article

If the currentState variable is set to PEAP_PHASE1_INPROGRESS, then:

  1. Change the Type field in the PEAP packet to EAP-TLS [IANA-EAP], and process the packet as specified in [RFC5216].

  2. Prepare the EAP Response packet as specified in [RFC5216].

  3. Change the Type field to PEAP, and then send the packet to the server.

If currentState is set to TUNNEL_ESTABLISHED, INNER_IDENTITY_SENT, or PHASE2_EAP_INPROGRESS, then:

  1. Pass the Data field in the PEAP packet to the TLS layer for decryption using the DecryptMessage method.

  2. If the decrypted data returned by DecryptMessage is compressed data, apply the decompression method as specified in section 3.1.5.6.

  3. If the currentState is set to TUNNEL_ESTABLISHED, then:

    1. If the decrypted data matches an SoH Request TLV (section 2.2.8.2.1), then process the data as specified in section 3.2.5.4.5.

    2. If the decrypted data matches the EAP TLV Extensions Method (section 2.2.8.1), then process the data as specified in section 3.2.5.4.7.

    3. If the decrypted data matches the Identity Request packet, then process the data as specified in section 3.2.5.4.

    4. Ignore the packet if the decrypted data does not match the earlier conditions.

  4. If currentState is set to INNER_IDENTITY_SENT, then:

    1. If the decrypted data matches the Capabilities Negotiation Request, then process the data as specified in section 3.2.5.4.6.

    2. If the decrypted data matches an SoH Request TLV, then process the data as specified in section 3.2.5.4.5.

    3. If the decrypted data matches the EAP TLV Extensions Method, then process the data as specified in section 3.2.5.4.7.

    4. If the decrypted data does not match the previous conditions, then check if the first byte matches InnerEapType. If it does not match, then prepare an EAP Nak packet ([RFC3748] section 5.3.1) with the Type-Data field set to InnerEapType, and then call the Compress_Encrypt_Send method (section 3.1.5.2.3). Otherwise, prepare an EAP packet with the fields set as follows:

      • Code: PEAP packet Code

      • Identifier: PEAP packet Identifier

      • Length: Length of the decrypted data + 4

      • Type: InnerEapType

      • Data: Decrypted data

        Pass the previously prepared EAP packet to the inner EAP method and when the inner EAP method returns an EAP Response packet, call the Compress_Encrypt_Send routine and then set currentState to PHASE2_EAP_INPROGRESS.

  5. If currentState is set to PHASE2_EAP_INPROGRESS, then:

    1. If the decrypted data matches the EAP TLV Extensions Method, then process the data as specified in section 3.2.5.4.7.

    2. If the first byte of the decrypted data does not match InnerEapType, then ignore the packet, otherwise prepare an EAP packet with the fields set as follows:

      • Code: PEAP packet Code

      • Identifier: PEAP packet Identifier

      • Length: Length of the decrypted data + 4

      • Type: InnerEapType

      • Data: Decrypted data

        Pass the EAP packet prepared earlier to the inner EAP method and when the inner EAP method returns an EAP Response packet, call Compress_Encrypt_Send (section 3.1.5.2.3).

If currentState is not set to PEAP_PHASE1_INPROGRESS, TUNNEL_ESTABLISHED, INNER_IDENTITY_SENT, or PHASE2_EAP_INPROGRESS, then the packet is ignored.