EAP-TLS authentication method

What is EAP-TLS?

EAP-TLS is defined in RFC 5216 is an IETF open standard that uses the Transport Layer Security (TLS) protocol. EAP-TLS is the original, standard wireless LAN EAP authentication protocol.

The requirement for a client-side certificate gives EAP-TLS its authentication strength and illustrates the classic convenience vs. security trade-off. With a client-side certificate, a compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side certificate; indeed, a password is not even needed, as it is only used to encrypt the client-side certificate for storage.

Supplicant is a wireless client asking for authentication.

Authenticator is an access point. For WPA2-Enterprise authenticator is not doing actual authentication, it forwards request to authentication server.

Authenticator server establised authentication method with supplicant and performs actual authentication.

Authentication server and supplicant needs to trust CA signature.

EAP-TLS schema