3.2.5.2 Phase 1 (TLS Tunnel Establishment)

The first PEAP packet received from the PEAP server is the PEAP start packet. It specifies the version of the PEAP protocol and indicates that the PEAP server is prepared to begin the PEAP phase 1 negotiation. Implementations MUST reset the TLS session upon receiving a PEAP packet with the S flag on packets other than the first packet. Implementations MUST set the EAP Type field of all PEAP packets to 25 (PEAP).

Once the PEAP version is negotiated, all subsequent PEAP request and response packets MUST include the negotiated version. The PEAP peer MUST set the PEAP version to 0 in PEAP responses, regardless of the version sent in the initial or subsequent PEAP requests. The PEAP server MUST set the PEAP version to 0 in PEAP requests. When a peer negotiates a version other than zero, the PEAP server MUST fail the authentication by sending an EAP failure packet.

The PEAP peer response begins the negotiation of a TLS (as specified in [RFC2246]) with the PEAP server. The TLS tunnel can be established via a TLS session resume (as specified in [RFC2246] section F.1.4).

Note that PEAP relies on the TLS Protocol [RFC2246] to manage the TLS session (including the handling of any error or other conditions that occur within the TLS Protocol). The TLS packets are exchanged encapsulated in PEAP packets as explained in section 3.1.5.4.