Does EAP-TTLS support mandatory client side certificates?

eveares · ‎05-05-2021

Hi all, in regards to Wi-Fi and specifically RADIUS in the general sense and in the scope of generic and non-Cisco proprietary implementations of Wi-Fi and RADIUS, does EAP-TTLS also support mandatory client side certificates like EAP-TLS does?

Also does EAP-TLS support active directory username/password authentication like EAP-TTLS does?

My understanding is EAP-TTLS supports AD credential authentication but not mandatory client side certificate authentication, and EAP-TLS supports mandatory client side certificate authentication but not AD credential authentication. Is this correct?

Regards: Elliott.

saravlak · ‎05-05-2021

If you want to use 802.1X with EAP-TLS protocol then we need both client and server certificate and for EAP-PEAP/TTLS we need only server certificate, client side cert is optional.

Authentication mode can be User or Computer for EAP-PEAP/TLS/TTLS.

Scott Fella · ‎05-06-2021

EAP-TLS is probably the most favored from security folks as it requires a client and server side certificate. This allows the radius server (if supported) to check various attributes before authentication happens. EAP-PEAP is next in line as this is probably the most implemented EAP type and used over EAP-TTLS. The later two doesn’t require a client side certificate but credentials.

-Scott
*** Please rate helpful posts ***