EAP-TLS
EAP with Transport Layer Security (EAP-TLS) requires that both the station and
RADIUS server authenticate themselves using public key cryptography, such as smart
cards or digital certificates.
This conversation is secured with an encrypted TLS tunnel. That is, only the
authentication is encrypted. After that is complete, then WEP, WPA, or WPA2 provide
user data encryption. Although this makes EAP-TLS resistant to decryption dictionary
and man-in-the-middle (MitM) attacks, the station’s identity (and the name bound to
the certificate) can still be culled by attackers.
Because EAP-TLS is standard on Microsoft Windows XP, Windows 2000, and
Windows Server 2003, it is popular in Windows-based environments. Figure 4-2 shows
EAP-TLS in action.
The EAP-TLS authentication process is as follows:
1. The client associates with the AP.
2. The AP blocks the client from accessing the network.
3. The client authenticates the server with a certificate.
4. The RADIUS server authenticates the client with a certificate.
5. The RADIUS server and the client agree on a WEP key.
6. A secure tunnel is established between the client and the server.
Client 1 2
3
4
5
6
Access Point Switch
RADIUS Server
72 IEEE 802.1X Authentication
The downside to this method is that issuing digital certificates to each station is time
consuming, and most organizations prefer to use usernames and passwords for
wireless authentication. Protected EAP (PEAP), which is discussed later in this
chapter, is a good substitute for EAP-TLS.