EAP-TLS vs. EAP-TTLS
Tue Aug 12 23:50:21 PDT 2008
Hello Jouni and others
Thanks for your reply.
> > EAP-TLS is *only* used for mutual authentication based on certificates
> > between client and server. But it won't establish a TLS tunnel, that can be
> > used for executing other/additional EAP methods.
> Yes, or well, to be exact, EAP-TLS is actually completing the TLS
> handshake and in some sense, the tunnel would be established for
> application data, it is just not used in practice since EAP-TLS is
> completed at that point.
Ok, so it is possible, but nobody uses it.
Only for being sure that I got everything right: the correct way is
executing EAP-TTLS (or PEAP or FAST), that will
a.) authenticate Server and optionally Client
b.) establish a secure tunnel between Client and Server
c.) execute -if needed- additional EAP methods secured by the tunnel.
Is this correct?
What I still do not understand is the difference between EAP-TTLS
(that optionally might authenticate the client using the client cert)
and EAP-TTLS / EAP-TLS. Is the only difference, that when I perform
EAP-TLS as "inner" method, username won't be visible in plaintext on
the wire, since EAP-TLS is executed via the tunnel?
More information about the Hostap