locked
difference between EAP-TLS and EAP-TTLS and how to configure them on a NPS? RRS feed

  • Question

  • Hi,

    I think the title says all already. I'm still trying to understand something in the chaos of authentication protocols. I know that both EAP-TLS and EAP-TTLS need certificates on both the authentication server AND the clients, but what's the difference between them?

    And is there a guide somewhere to know how to set EAP-TLS or EAP-TTLS on a Microsoft NPS server?

    Thank you in advance

    Monday, March 12, 2018 6:08 PM

Answers

  • Hi,

    Thanks for your question.

    Let’s go into the details of EAP-TLS vs EAP-TTLS.

    On EAP-TLS, both sides require a certificate. With a client-side certificate, a compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side certificate.

    On EAP-TTLS, after the server is securely authenticated to the client via its CA certificate and optionally the client to the server, the server can then use the established secure connection ("tunnel") to authenticate the client. TTLS is a SSL wrapper around diameter TLVs (Type Length Values) carrying RADIUS authentication attributes.

    EAP-TTLS is divided into 2 phases:

    Phase1: It uses EAP-TLS to set up a tunnel. In this phase the client authenticate the server. The server is unable to authenticate the client because the client usually use anonymous id in the first phase.

    Phase2: EA-TTLS uses another authentication method ( can be other EAPs or MS-CHAP) in the tunnel. In this phase, the client uses its actual identity. Then server will authenticate the client. Therefore, mutual authentication is achieved.

    In contrast, EAP-TLS uses only one phase, which is the TLS handshake phase to complete the mutual authentication. As a result, the identity is exposed in clear text in the first EAP-TLS message.

    More information refer to the following link:

    http://www.tech-faq.com/eap-leap-peap-and-eap-tls-and-eap-ttls.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regarding to how to configure 802.1x authentication such as EAP-TLS and EAP-TTLS on Windows NPS, please refer to the following article. This article is the reference guide for setting up secure wireless networking using Microsoft products. It describes how to create an infrastructure for authentication, authorization, and accounting for wireless connections using Microsoft RADIUS Server (IAS/NPS) and Windows clients.

    https://blogs.technet.microsoft.com/networking/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows/

    Hope above information helpful.

    Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards,  

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Tuesday, March 13, 2018 9:25 AM

All replies

  • Hi,

    Thanks for your question.

    Let’s go into the details of EAP-TLS vs EAP-TTLS.

    On EAP-TLS, both sides require a certificate. With a client-side certificate, a compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side certificate.

    On EAP-TTLS, after the server is securely authenticated to the client via its CA certificate and optionally the client to the server, the server can then use the established secure connection ("tunnel") to authenticate the client. TTLS is a SSL wrapper around diameter TLVs (Type Length Values) carrying RADIUS authentication attributes.

    EAP-TTLS is divided into 2 phases:

    Phase1: It uses EAP-TLS to set up a tunnel. In this phase the client authenticate the server. The server is unable to authenticate the client because the client usually use anonymous id in the first phase.

    Phase2: EA-TTLS uses another authentication method ( can be other EAPs or MS-CHAP) in the tunnel. In this phase, the client uses its actual identity. Then server will authenticate the client. Therefore, mutual authentication is achieved.

    In contrast, EAP-TLS uses only one phase, which is the TLS handshake phase to complete the mutual authentication. As a result, the identity is exposed in clear text in the first EAP-TLS message.

    More information refer to the following link:

    http://www.tech-faq.com/eap-leap-peap-and-eap-tls-and-eap-ttls.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regarding to how to configure 802.1x authentication such as EAP-TLS and EAP-TTLS on Windows NPS, please refer to the following article. This article is the reference guide for setting up secure wireless networking using Microsoft products. It describes how to create an infrastructure for authentication, authorization, and accounting for wireless connections using Microsoft RADIUS Server (IAS/NPS) and Windows clients.

    https://blogs.technet.microsoft.com/networking/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows/

    Hope above information helpful.

    Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards,  

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Tuesday, March 13, 2018 9:25 AM
  • Hi Giant,

    How are things going on? Was your issue resolved?

    Please let us know if you would like further assistance.

    Wish you have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 15, 2018 9:23 AM
  • yes, thank you for your time, Michael :) I'll need time to study all those links you gave me, but they seem exactly what I needed.

    [edit] after a first quick glance, I've seen that in the Technet article you posted ("Creating a secure 802.1x wireless infrastructure using Microsoft Windows") it speaks only about EAP-TLS, not EAP-TTLS, and in this Technet post Greg says that apparently NPS doesn't support EAP-TTLS. Is that correct?

    Friday, March 16, 2018 9:00 PM
  • Hi Giant,

    Yes! NPS does not directly support EAP-TTLS.  AS a substitute, PEAP (Protected EAP) protocol works in the similar way and provides the feature.

    Highly appreciate your successive effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 19, 2018 10:35 AM
  • Hi , 

    let me know if we want to deploy 802.1x and MAB with NPS for work-group computers .How should we configuration ?

    Whatever i am using PEAP or EAP-TLS ,we always need to type username and password to verify . If we use computer certification for authenication ,we still need to type user and password ?

    Let me know any solution for 802.1x deployment by using certificate with NPS without typing username and password.

    Monday, March 25, 2019 6:57 AM
  • Thank you SO MUCH for this explanation.  I've been trying to find a clear and simplified answer to this question so I can take Comptia Sec+ exam.  Your response has made me understand
    Monday, December 16, 2019 11:44 PM