The server side certificate serves 2 major purpose.(1) Validate the AS and (2) Creates an Encrypted TLS Tunnel........then why on Page no:152 (figure 4.29 EAP-TLS process) doesn't have tunnel even client verifies AS via server side certificate. Using a tunnel for client certificate is not necessary but still tunnel should be created automatically after verifying the server side certificate......kindly advice me.
Please anyone can advice me?
EAP-TLS does not use a tunnel by default, but there is an optional setting to use a tunnel. Creating a tunnel is extra overhead in the exchange and it is not necessary in EAP-TLS because the server and client credential is an X.509 certificate, which is inherently secure from eavesdropping. Other EAP types, like PEAP-MSCHAPv2 or EAP-TTLS use a less secure client authentication method, so the TLS tunnel secures the exchange from eavesdropping and potential attacks against the client's username/password.
Please let me know where is option to select a tunnel...Is this on supplicant??......I am using Cisco client utility but I am unable to see any option regarding it
Server side identification/authentication must be selected in supplicant(wpa_supplicant,WinXP, Wista, Windows, Cisco etc.)
Tunnel type must be selected on AS , actually Radius server. For example, in FreeRADIUS eap.conf file:
eap-tls (for mutually authenticated tunnel )
eap-ttls, eap-peap ( for server side auhenticated tunnel)
Hope this helps,