Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
26182
Views
41
Helpful
4
Replies

802.1x EAP-TLS vs PEAP-EAP-TLS

craig.cartlidge1
Level 1
Level 1

‎07-07-2016 03:44 AM - edited ‎03-10-2019 11:54 PM

Can anyone please explain the advantage (if any!) of using PEAP-EAP-TLS as opposed to just EAP-TLS for wired 802.1x deployments.

We are deploying wired 802.1x machine based authentication and have a PKI infrastructure, I was under the impression that we just need to use EAP-TLS since we have a working PKI deployment and all machines have a certificate.

The server guys seem to think we need to use PEAP with EAP-TLS, but cant really explain to me why, this just seems like extra work, is there any advantage ? I can understand using PEAP for things like MS-CHAP authentication, but since we are using EAP-TLS anyway this seems pointless.

Thanks

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎07-07-2016 04:46 AM

Hi

Eap-tls is based on client certificate authentication while peap-eap-tls is based on server side certificate authentication. 

With peap-eap-tls, the 1st phase will be the encrypted tunnel with server side authentication and then all user sensitive information are encrypted. With this method, no user certificate will be required. It's peap v1.

With eap-tls, you will need a user certificate to authenticate. 

I attach an image that show you differences. Take  a look at column 2 and 4.

Thanks 

PS: Please don't forget to rate and mark as correct answer if this solved your issue 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Preview file
403 KB

alburger
Cisco Employee
Cisco Employee
In response to Francesco Molino

‎04-26-2017 07:28 PM

This is incorrect. PEAP-EAP-TLS encrypts the EAP-TLS certificate transfer with a PEAP Tunnel. Certificates are still required on both the client and server. There is just added security of a TLS tunnel prior to certificate exchange. PEAP-EAP-MSCHAPv2 only requires a server side certificate while the rest of the authentication is performed as user/pass. 

Francesco Molino
VIP Alumni
VIP Alumni
In response to alburger

‎04-26-2017 08:01 PM

Yes your right and I'm sorry. I'm thinking why i answered this when the question was peap-eap-tls. 

Maybe i thought (I red to quickly) it was asked eap-ttls on which client authentication isn't required. 

Thanks for having corrected the answer. 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

alburger
Cisco Employee
Cisco Employee
In response to Francesco Molino

‎04-26-2017 08:18 PM

Not a problem! 

0 Helpful
Customers Also Viewed These Support Documents