EAP-TLS and EAP-TTLS - Requirements
Last Post: June 22, 2006:
I am trying to understand what the requirements are for EAP-TLS and EAP-TTLS.
EAP-TLS uses a client-side and server side certificate to allow the client to authenticate the server and the server to authenticate the client. This requires a PKI to manage the certificates but what im trying to establish
is whether a username/password is required by the user after the certificate exchange. Do the certificates actually provide the authentication to allow the device to asscoiate or do they provide the encrypted tunnel to allow the the users password to be transported. I am trying to understand if a EAP-TLS implementation involves a backend
database such as Active Directory.
EAP-TTLS does not require client certificates and therfore does not require a PKI correct? The server is authenticated by the client using the server-side certificate which establishes the secure tunnel and this is used to transport the users username/password which can then be checked by the Radius server against a backend DB such as Active Directory.
Since EAP-TLS already uses a certicate to validate the clients identity, is the username/password used as part of the EAP-TLS process?
If anyone who has implemented EAP-TLS or understands it in more detail can provide me with more information, it would be much appreciated.
You can get M$ guide from the link mentioned below
I believe you are talking about user authentication and device authentication. The presence of a valid certificate in a device authenticates the device and it can be used to setup the tunnel between the device and server and the user credentials can be exchanged and verfied through this secure tunnel
see the link mentioned below
First, a Transport Layer Security (TLS) tunnel is built between the client and the TTLS/PEAP server. This tunnel protects the transmission of the client's credentials, such as username and password. Once the user's credentials are authenticated, a second TLS tunnel is built so that encryption key information can be sent to the client. After the client has the encryption key data, the TLS tunnels are torn down and all communication is secured using WEP, TKIP (WPA) or AES depending on the device capabilities.
Thanks for your reply but im still not conviced about the username/password bit when using EAP-TLS.
If you look at the process flow diagram here (Figure 4-2):
It shows that prior to the certificate exchange the client sends a userid (which is sent in cleartext). The certificate exchange happens and following this the encryption keys are sent to the client. This would then allow the cleint to asscoiate to the wireless AP and exchange data with no password?
EAP-TLS is one of the sub-protocols available in 802.1x for authentication purposes. You rightly mentioned that it uses a client and a server certificate for mutual authentication. Now your queries are:
1) Do the certificates actually provide the authentication to allow the device to associate or do they provide the encrypted tunnel to allow the users password to be transported
Ans: Certificates actually provides authentication. Also, at the client side, user certificates allows user to authenticate itself to the wireless network (on any machine) and machine certificate allows machine to get access to the network
2) I am trying to understand if a EAP-TLS implementation involves a backend database such as Active Directory.
Ans: Yes, EAP-TLS does involve active directory type backend databases. Only those users/ computers can get certificates which are registered with active directory
3) Since EAP-TLS already uses a certificate to validate the client?¡é?€??s identity, is the username/password used as part of the EAP-TLS process?
Ans: Getting a certificate does require username/password exchange through challenge response technique, but I don't think they are required once you have certificates in place.