I was reading through my new edition CWSP study guide last night and the description of EAP-TTLS caught my eye. In the book it says that TTLS is essentially the same as PEAP but just allows the use of other inner authentication types. Well a colleague of mine had told me a few years ago that TTLS was stronger than PEAP and so this didn't seem to make sense to me as an explanation. I asked him what he meant and his response was that TTLS encrypts both the inner and outer layers with TLS. I proceeded then to look a bit around the net and I found the TTLSv1 RFC to read. This explained that TTLSv1 uses the outer TLS auth in a similar way to PEAP but that the inner auth now uses also TLS/IA to encrypt the AVP conversation with the RADIUS server. Although this doesn't seem to make the explanation in the study guide wrong, it does seem that the explanation there is overly simplistic and doesn't explain well why TTLS is more secure than PEAP.
Comments anyone? Did I read all this correctly?