• Hi guys,

    I have 2 questions.

    EAP protocols that utilize mutual authentication provide "seeding material" that can be used to generate encryption keys dynamically. Mutual authentication validate both the supplicant and the AS.
    The supplicant uses the server certificate to establish an encrypted TLS tunnel.

    Validating the AS is not mandatory for most of EAP-protocol. We may validate only the supplicant.

    First Q :
    In that case, is there a TLS tunnel even if the supplicant doesn't validated the serveur certificate?

    Second Q:
    In that case, where does "seeding material" come from if there isn't mutual authentication, so no server certificate validation?

    Thanks in advance for your help.


  • By (Deleted User)

    Just to clarify, when you say "validating the AS is not mandatory", are you referring to the checkbox on the supplicant (as in Microsoft OSs) that says "validate server certificate?" If so, that is a bit of a different thing altogether. If you leave that deselected, it does not bypass mutual authentication. It still does all the same EAP exchanges, TLS tunnel construction, supplicant authentication, key derivation, etc., but the supplicant simply does not compare the server's certificate against its trusted certificate store. In other words, it would accept any server certificate as valid.

    Leaving this box unchecked is certainly not recommended, but if you were to leave it unchecked, it doesn't change the EAP process in any way. The only thing it changes is how (if it does at all) the supplicant "validates" the server's certificate (and of course, whether the exchange is considered secure).

    So, First Q: yes!
    Second Q: It is still mutual authentication in the sense that both the AS and the supplicant are submitting credentials to one another (a requirement for dynamic key generation). The client is just being configured to trust any server certificate it receives. I know, it doesn't sound like mutual authentication, but the protocol mechanics are just the same, so the seeding material doesn't change.

  • Hi Marcus,

    You have answered to my questions :-) Thanks a lot.
    I was referring to the checkbox on the supplicant. Everything is clear now. No doubt anymore.

    Take care.

Page 1 of 1
  • 1