Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
2
Helpful
3
Replies

EAP-TLS and peap protocol establish secure tunnel b/w client & server

Go to solution
palani2010
Level 1
Level 1

‎01-04-2025 04:58 PM

EAP-TLS and peap protocol establish secure tunnel b/w client & server

I.e., client is supplicant and server is radius server which is Cisco ise in my case.

Correct me if I am wrong

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ccieexpert
VIP
VIP

‎01-04-2025 06:23 PM

You are correct.. but i would add a few things to clarify.

The point of the tunnel / secure channel is to authenticate the endpoint for the most part.

with EAP-TLS both sides have certs and can be authenticate each other.

With PEAP the server will be authenticated by the client using the server cert, whereas the client will use username/password to do that.

there are many articles, one of them is below and you can also find youtube videos :

https://www.securew2.com/blog/everything-you-need-to-know-about-peap-security

**Please rate as helpful if this was useful**

https://www.securew2.com/blog/everything-you-need-to-know-about-peap-security

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ccieexpert
VIP
VIP

‎01-04-2025 06:23 PM

You are correct.. but i would add a few things to clarify.

The point of the tunnel / secure channel is to authenticate the endpoint for the most part.

with EAP-TLS both sides have certs and can be authenticate each other.

With PEAP the server will be authenticated by the client using the server cert, whereas the client will use username/password to do that.

there are many articles, one of them is below and you can also find youtube videos :

https://www.securew2.com/blog/everything-you-need-to-know-about-peap-security

**Please rate as helpful if this was useful**

https://www.securew2.com/blog/everything-you-need-to-know-about-peap-security

0 Helpful

Go to solution
palani2010
Level 1
Level 1
In response to ccieexpert

‎01-04-2025 06:54 PM

Thanks. We don't need username and password for eap-tls ?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎01-05-2025 03:38 AM

It is not as easy as it seems; the general answer is no. Not both establish a secure tunnel, but this needs some clarification:

For PEAP (same for EAP-TTLS, EAP-FAST, or TEAP), we have a potentially sensitive payload to protect, a password-based client authentication. A secure tunnel is built (typically with TLS), and the client authentication is done through the tunnel.

For EAP-TLS, this tunnel is typically not built. We usually have a TLS exchange where the server and client prove their identity with certificates and public key cryptography. Generally, there is no tunnel involved. But here comes the "it depends":

EAP-TLS (RFC 5216) has an optional privacy feature where a kind of tunnel would be established, and the client exchange could be done through this tunnel. But I am not aware of any system doing this. This changed with EAP-TLS for TLS 1.3 (RFC 9190). Here, the privacy exchange is mandatory, and we always do the whole EAP exchange through a TLS-protected tunnel.

If you run a newer version of ISE and your client supports it (like newer Apple devices), you could see the systems do this exchange with EAP-TLS 1.3.

Customers Also Viewed These Support Documents