EAP-TLS vs. EAP-TTLS

Jouni Malinen j at w1.fi
Tue Aug 12 11:48:21 EDT 2008


On Tue, Aug 12, 2008 at 01:45:55PM +0200, Martin Schneider wrote:

> EAP-TLS is *only* used for mutual authentication based on certificates
> between client and server. But it won't establish a TLS tunnel, that can be
> used for executing other/additional EAP methods.

Yes, or well, to be exact, EAP-TLS is actually completing the TLS
handshake and in some sense, the tunnel would be established for
application data, it is just not used in practice since EAP-TLS is
completed at that point.

> When I need a secure tunnel for executing more EAP methods I need EAP-TTLS?

Or EAP-PEAP or EAP-FAST..

> In EAP-TTLS, mutal authentication is optional, but can be performed like in
> EAP-TLS.

Yes, mutual authentication using TLS is optional; the peer will need to
authenticate the server for this to be secure, but the server can
authenticate the peer based on tunneled authentication (e.g., using a
password).

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list