Martin Schneider martincschneider
Tue Aug 12 23:50:21 PDT 2008

Hello Jouni and others

Thanks for your reply.

> > EAP-TLS is *only* used for mutual authentication based on certificates
> > between client and server. But it won't establish a TLS tunnel, that can be
> > used for executing other/additional EAP methods.
> Yes, or well, to be exact, EAP-TLS is actually completing the TLS
> handshake and in some sense, the tunnel would be established for
> application data, it is just not used in practice since EAP-TLS is
> completed at that point.

Ok, so it is possible, but nobody uses it.

Only for being sure that I got everything right: the correct way is
executing EAP-TTLS (or PEAP or FAST), that will

a.) authenticate Server and optionally Client
b.) establish a secure tunnel between Client and Server


c.) execute -if needed- additional EAP methods secured by the tunnel.

Is this correct?

What I still do not understand is the difference between EAP-TTLS
(that optionally might authenticate the client using the client cert)
and EAP-TTLS / EAP-TLS. Is the only difference, that when I perform
EAP-TLS as "inner" method, username won't be visible in plaintext on
the wire, since EAP-TLS is executed via the tunnel?


More information about the Hostap mailing list