EAP-TLS vs EAP-PEAPv0 (EAP-TLS)
Last Post: April 18, 2011:
-
Hello everyone,
Can someone please explain the difference between these two EAP methods? If you're going to use client side certificates, what's the best choice? Isn't EAP-PEAPv0 (EAP-TLS) pretty much EAP-TLS w/ privacy mode enabled?
Someone please help, a nice explanation of the technical and practical difference of the both would be greatly appreciated.
Thanks!
-
Hi Steve,
Nobody sent in a reply, so I'm going to have a stab at it.
***CWNP commuinity, please correct me if I'm wrong***
I believe they are pretty much the same, but PEAP can only be used on a wireless network, where EAP-TLS can be used on a wired LAN -
Typically, EAP-PEAPv0 (MSCHAPv2) is supported on many more platforms (i.e., supplicants) than EAP-TLS. Also PEAP only requires a server side certificate where TLS requires a client and a server side cert making it more expensive to deploy if you aren't already doing PKI.
-
Joel is correct (as usual), in that PEAPv0 (MSCHAPv2) is much more widely supported. It also happens to be much easier for organizations to implement when first getting into 802.1x authentication on any network (wired or wireless).
PEAPv1 (EAP-GTC) allows for client-side certificates in addition to server side certificates. It is not common to find support for PEAPv1 outside of Cisco clients (ADU, CSSC), but Windows 7 does support this functionality now. Also note that PEAPv1 can also support inner username / password or smart card authentication (hence EAP-GTC for generic token card).
EAP-TLS is functionally the same thing as PEAPv1 with inner EAP-TLS, but with much wider support. There are a few differences underneath the covers, such as EAP type negotiation. Also, EAP-TLS does not allow an anonymous outer identity, so usernames will be visible in plain-text.This could be useful reconnaissance for a hacker.
Cheers,
Andrew -
Here's a practical reason for you. We're a large university with over 10,000 WLAN clients daily. We do not control what hardware comes to the university, nor do we have administrator accounts on all those machines. EAP-TLS requires both client AND a server side certs, which would be very difficult for us to deploy.
Since PEAP only requires a server side certificate, we can deploy this quite easily with Cloudpath Network's XpressConnect wizard. Users login to our unsecure guest network, get redirected to our "wizard website" and click on it - which then builds the profile and moves you on to the secure WLAN.
- 1