3.3.5.4.2 Received PEAP Response

If the currentState variable is set to PEAP_PHASE1_INPROGRESS, then:

  1. Change the Type field in the PEAP packet to EAP-TLS (as specified in [IANA-EAP]), and process the packet as specified in [RFC5216].

  2. Prepare the EAP Request packet as specified in [RFC5216].

  3. Change the Type field to PEAP, then send the packet to the client.

If currentState is set to INNER_IDENTITY_REQ_SENT, WAIT_FOR_SOH_RESPONSE, WAIT_FOR_CAPABILITIES_RESPONSE, PHASE2_EAP_INPROGRESS, SUCCESS_TLV_SENT, or FAILURE_TLV_SENT, then:

  1. Pass the Data field in the PEAP packet to the TLS layer for decryption using the DecryptMessage method.

  2. If the decrypted data returned by DecryptMessage is compressed data as specified in 3.1.5.6, then apply the decompression method as specified in 3.1.5.6.

  3. If currentState is set to INNER_IDENTITY_REQ_SENT, then:

    1. If the first byte of the decrypted data matches one (Identity type), then process the data as specified in section 3.3.5.4.3, otherwise, ignore the packet.

  4. If currentState is set to WAIT_FOR_SOH_RESPONSE, then:

    1. If the decrypted data matches SoH TLV (section 2.2.8.2.2) in the SoH EAP Extensions Method (section 2.2.8.2), then process the data as specified in section 3.3.5.4.6.

    2. If the decrypted data matches the EAP Nak packet, then process the data as specified in section 3.3.5.4.5.

    3. If the decrypted data does not match the earlier conditions, then ignore the packet.

  5. If currentState is set to WAIT_FOR_CAPABILITIES_RESPONSE, then:

    1. If the decrypted data matches the Capabilities Method Response (section 2.2.8.3.2), then process the data as specified in section 3.3.5.4.4.

    2. If the decrypted data matches the EAP Nak packet, then process the data as specified in section 3.3.5.4.5.

    3. If the decrypted data does not match the earlier conditions, then ignore the packet.

    4. If the decrypted data does not match the earlier conditions, then create a Capabilities Method Response with the F bit set to zero and process it as specified in section 3.3.5.4.4.

  6. If the currentState is set to PHASE2_EAP_INPROGRESS, then:

    1. If the decrypted data matches the EAP Nak packet, then process the data as specified in section 3.3.5.4.5.

    2. If the decrypted data does not match the earlier condition, then check if the first byte matches InnerEapType. If it does not match, then ignore the packet, otherwise, prepare an EAP packet with the fields set as follows:

      • Code: PEAP packet Code

      • Identifier: PEAP packet Identifier

      • Length: Length of the decrypted data + 4

      • Type: InnerEapType

      • Data: Decrypted data

        Pass the EAP packet prepared earlier to the inner EAP method and when the inner EAP method returns an EAP Request packet, call the Compress_Encrypt_Send method (section 3.1.5.2.3).

  7. If currentState is set to SUCCESS_TLV_SENT or FAILURE_TLV_SENT, then:

    1. If the decrypted data does not match an EAP TLV Extensions Method (section 2.2.8.1), then ignore the packet, otherwise, process the data as specified in section 3.3.5.4.7.

If currentState is not set to PEAP_PHASE1_INPROGRESS, INNER_IDENTITY_REQ_SENT, WAIT_FOR_SOH_RESPONSE, WAIT_FOR_CAPABILITIES_RESPONSE, PHASE2_EAP_INPROGRESS, SUCCESS_TLV_SENT, or FAILURE_TLV_SENT, then the packet is ignored.