17.4. EAP TLS Previous topic Parent topic Child topic Next topic

EAP TLS uses Public Key Infrastructure (PKI) digital certificates to provide mutual authentication between the EAP client and the RADIUS server. A PKI certificate is a file created by a program called a Certificate Authority. The certificate contains the name of the server or user that has been issued to. The EAP client and RADIUS server use the certificates to verify that the other party is indeed who it claims to be. In EAP TLS, a PKI certificate is required for the Radiator RADIUS server and for each and every EAP TLS client. EAP TLS does support dynamic WEP keys.
You can obtain certificates from a Public Certificate authority such as Thawte Opens in new window. The advantage of Public Certificates is that they will generally be recognised by any client or server without taking any special steps. A disadvantage of Public certificates is that you usually have to pay an annual fee for each one. With a Private Certificate Authority, you can generate your own server and client certificates for free, but you will generally have to install the ‘Root Certificate’ from your Certificate Authority on each client before it will recognise a private server certificate. Private Certificates are considered by many to be more secure that Public Certificates.
The basic steps of EAP TLS authentication are:
  1. The EAP TLS client and RADIUS server establish a communications channel via the RADIUS protocol.
  2. The RADIUS server sends its Server PKI Certificate to the client.
  3. The client verifies that the server certificate is valid and is the correct certificate for the RADIUS server it is communicating with. It uses the Root Certificate of the Certificate Authority that issued the Server Certificate to validate the Server Certificate. (Root Certificates for most Public Certificate Authorities are built in to most clients. If the Server Certificate was issued by a Private Certificate Authority, the client requires a copy of the Root Certificate to be installed in order to validate the Server Certificate.)
  4. If the client validates the server certificate, it then sends the user's PKI certificate to the RADIUS server.
  5. The RADIUS server verifies that the client certificate is valid and is the correct certificate for the user name that is being authenticated. The RADIUS server can be configured to validate Private Client Certificates using a locally installed copy of the Root Certificate of the Certificate Authority that issued the client certificate.
  6. If the RADIUS server validates the client certificate then the authentication is successful, and the client is permitted to be connected to the network.
EAP TLS does not use or exchange any passwords, but you can use AuthBy methods in Radiator to enable or disable EAP TLS users based on their user name, time of day etc.