(redirected from EAP-TLS)
Also found in: Dictionary, Medical, Acronyms, Wikipedia.
Related to EAP-TLS: EAP-TTLS


(Extensible Authentication Protocol) A protocol that acts as a framework and transport for other authentication protocols. EAP uses its own start and end messages, but then carries any number of third-party messages between the client (supplicant) and access control node such as an access point in a wireless network.

EAP and LANs

EAP originated with the dial-up PPP protocol in order to support protocols beyond PAP and CHAP. For use on packet networks, EAP Over LAN (EAPOL) was created. EAPOL added new message types and allowed an Ethernet header to be prefixed onto EAP messages so they could be transmitted via Ethernet. Following are various EAP methods used mostly in wireless networks, but also in wired networks. See 802.1X, WPA and 802.11i.

EAP-TLS (EAP-Transport Layer Security)
Uses the handshake protocol in TLS, not its encryption method. Client and server authenticate each other using digital certificates. Client generates a pre-master secret key by encrypting a random number with the server's public key and sends it to the server. Both client and server use the pre-master to generate the same secret key.

Like EAP-TLS above except only the server has a certificate to authenticate itself to the client first. As in EAP-TLS, a secure connection (the "tunnel") is established with secret keys, but that connection is used to continue the authentication process by authenticating the client and possibly the server again using any EAP method or legacy method such as PAP and CHAP.

PEAP (Protected EAP)
Similar to EAP-TTLS above except it does not support legacy methods. It only moves EAP frames. Windows XP natively supports PEAP.

LEAP (Light EAP, Cisco LEAP)
From Cisco, first implementation of EAP and 802.1X for wireless networks. Uses preshared keys and MS-CHAP protocol to authenticate client and server to each other. Server generates and sends session key to access point. Client computes session key independently based on data received in the CHAP challenge.

(EAP-Flexible Authentication via Secure Tunneling)
Enhancement to LEAP from Cisco that provides an encrypted tunnel to distribute preshared keys known as "Protected Access Credential" (PAC) keys. PAC keys may be continuously refreshed to prevent dictionary attacks. EAP-FAST is defined in Cisco's Cisco Compatible Extensions (see CCX).

EAP-SIM (GSM Cellphones)
For GSM phones that switch between cellular and Wi-Fi networks, depending on which is in range. The Subscriber Identity Module (SIM) smart card in the GSM phone (see GSM) contains the secret key used for challenge/response authentication and deriving session keys for encryption.
References in periodicals archive ?
In an office setting, if you want to provide basic Internet access to guests, while also providing corporate network access to employees, you can use wireless VLANs to apply WPA for the former, while deploying WPA plus EAP-TLS or EAPTTLS, for the latter.
Aruba broadcast three network SSIDs at Black Hat USA 2011: one WPA pre-shared key (PSK) for the conference generally, one PEAP network with user self-registration and one EAP-TLS network (for iOS devices) with Aruba's Mobile Device Access Control (MDAC) solution.
The other five EAP types included in WPA2 Enterprise testing are: EAP-TLS, EAP-TTLS/MSCHAPv2, PEAPv0/EAP-MSCHAPv2, PEAPv1/EAP-GTC and EAP-SIM.
Secure WPA2-PSK WPA-PSK (TKIP), WEP-128, EAP-TLS for WPA1 and WPA2 authentication and a full set of networking functionality including DHCP, DNS, TCP/IP and UDP ensures the WiFly GSX module is compatible with existing WiFi infrastructure.
The module also includes support for EAP-TLS, EAP-TTLS, PEAP and LEAP with AES-CCMP supported in the hardware.
WiFi option, providing low cost integration with existing enterprise WiFi networks, and supporting enterprise WiFi security standards including TKIP, AES and EAP-TLS
1x authentication using EAP-TLS, EAP-GTC and EAP-MSCHAPv2 as the inner methods as well as PEAP/GTC; Addition of support for multiple international WWAN providers and hardware devices; and significant security enhancements for IT administrators to control Wi-Fi configurations and lock connections and usage of credentials for 802.
FIPS 140-2-certified algorithms, with military-grade encryption and key negotiation, including EAP-TLS and AES-CCMP using 802.