10-07-2021 01:43 AM
Hello
I am not a networking person, (I did pass my Cisco CCNA many years ago). I work in IAM (Active Directory and PKI)
I have a basic question related to EAPTLS please
As I understand it EAPTLS used an X509 certificate at the RADIUS Server (Server authentication EKU) and at the supplicant (Client authentication EKU), which of course they both trust the issues CA
X509 certificates can be used for authentication in that if you both trust the CA and are happy with each others certificate (not revoked, chains up OK etc.) then you in effect are saying I believe you are who you say your are (Subject/Common Name/UPN in the cert). Therefore is this not good enough to then let the client into the network, without a second factor of authentication e.g. a username and password sent within the TLS tunnel?
For example you can authenticate to Active Directory using an X509 certificate (Schannel, using UPN in the SAN of the certificate). Therefore do you still needs to send username and password? or is their an option to authenticate between RADIUS and Active Directory just based on the certificates.
Thanks very much in advance
EBrant
Solved! Go to Solution.
10-07-2021 02:56 AM
EAP-TLS is complete certificate based machine authentication, you can have EAP-TEAP if you require machine+user authentication. But there is limited support available on certain devices for EAP-TEAP, so make sure that you research and test yourself with the expected clients to connect before deploying.
10-07-2021 02:56 AM
EAP-TLS is complete certificate based machine authentication, you can have EAP-TEAP if you require machine+user authentication. But there is limited support available on certain devices for EAP-TEAP, so make sure that you research and test yourself with the expected clients to connect before deploying.
10-07-2021 12:04 PM
Hello Arshadsaf
Thanks very much for taking the time to reply to my question.
I would like to avoid using username and password, thanks again for the information
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide