EAP-TLS vs. EAP-TTLS
Jouni Malinen
j
Tue Aug 12 08:48:21 PDT 2008
On Tue, Aug 12, 2008 at 01:45:55PM +0200, Martin Schneider wrote:
> EAP-TLS is *only* used for mutual authentication based on certificates
> between client and server. But it won't establish a TLS tunnel, that can be
> used for executing other/additional EAP methods.
Yes, or well, to be exact, EAP-TLS is actually completing the TLS
handshake and in some sense, the tunnel would be established for
application data, it is just not used in practice since EAP-TLS is
completed at that point.
> When I need a secure tunnel for executing more EAP methods I need EAP-TTLS?
Or EAP-PEAP or EAP-FAST..
> In EAP-TTLS, mutal authentication is optional, but can be performed like in
> EAP-TLS.
Yes, mutual authentication using TLS is optional; the peer will need to
authenticate the server for this to be secure, but the server can
authenticate the peer based on tunneled authentication (e.g., using a
password).
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list