ajlaing
commented
3 years ago EAP-TLS (or EAP-TTLS) will use mutual-authenticated TLS to authenticate the user to the TSF; the connection to the NAS can be either IPSEC or TLS, but RADSEC might be changing (See comment to #15 )
jfisherbah
Section 5.2.2 of the current draft Module includes a table that lists the capabilities that an app-based authentication server must have that is mapped to equivalent SFRs from the NDcPP. This needs to be changed into actual SFRs that are defined in the Module (i.e. the Additional SFRs section 5.2.2 needs to be fleshed out to define the requirements that this table currently just references).
One of the lines in this table is "The ability to use its own internal cryptographic module to establish an IPsec connection to the NAS." This will already need to be updated because the NAS connection can use either TLS or IPsec.
The trusted channels will be specified via modification of the App PP SFR FTP_DIT_EXT.1. Our proposal is to modify this SFR to force the selection of TLS (because this is always required in support of EAP-TLS) and then use an application note to specify that either TLS or IPsec should be selected for NAS connectivity. Is this acceptable?