topic Re: Does EAP-TTLS support mandatory client side certificates? in Wireless

Does EAP-TTLS support mandatory client side certificates?

eveares — Mon, 05 Jul 2021 20:16:30 GMT

Hi all, in regards to Wi-Fi and specifically RADIUS in the general sense and in the scope of generic and non-Cisco proprietary implementations of Wi-Fi and RADIUS, does EAP-TTLS also support mandatory client side certificates like EAP-TLS does?

Also does EAP-TLS support active directory username/password authentication like EAP-TTLS does?

My understanding is EAP-TTLS supports AD credential authentication but not mandatory client side certificate authentication, and EAP-TLS supports mandatory client side certificate authentication but not AD credential authentication. Is this correct?

Regards: Elliott.

Re: Does EAP-TTLS support mandatory client side certificates?

saravlak — Thu, 06 May 2021 05:47:00 GMT

If you want to use 802.1X with EAP-TLS protocol then we need both client and server certificate and for EAP-PEAP/TTLS we need only server certificate, client side cert is optional.

Authentication mode can be User or Computer for EAP-PEAP/TLS/TTLS.

Re: Does EAP-TTLS support mandatory client side certificates?

Scott Fella — Thu, 06 May 2021 07:03:53 GMT

EAP-TLS is probably the most favored from security folks as it requires a client and server side certificate. This allows the radius server (if supported) to check various attributes before authentication happens. EAP-PEAP is next in line as this is probably the most implemented EAP type and used over EAP-TTLS. The later two doesn’t require a client side certificate but credentials.