An Extension for EAP-Only Authentication in IKEv2

Document Type Replaced Internet-Draft (individual)
Authors Pasi Eronen  , Yaron Sheffer  , Hannes Tschofenig 
Last updated 2010-03-02 (latest revision 2009-10-20)
Replaced by RFC 5998
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Replaced by draft-ietf-ipsecme-eap-mutual
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


IKEv2 specifies that EAP authentication must be used together with public key signature based responder authentication. This is necessary with old EAP methods that provide only unilateral authentication using, e.g., one-time passwords or token cards. This document specifies how EAP methods that provide mutual authentication and key agreement can be used to provide extensible responder authentication for IKEv2 based on methods other than public key signatures.


Pasi Eronen (
Yaron Sheffer (
Hannes Tschofenig (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)