It seems like EAP is just sending a string to be displayed at the client end, and the client (with the help of the human) constructs a string to be sent back. So, why is it necessary to have the legacy authentication type sent by Bob in message 4? It doesn't look like the client does anything different based on the legacy authentication type. Radia