Comparing Certificate-Based RADIUS Authentication Methods: EAP-TLS, EAP-TTLS, and EAP-PEAP

In the latest series of blog postings, we started exploring 802.1X and EAP methods used to secure networks using a RADIUS server. In this posting, we'll compare the 3 different certificate-based authentication methods: EAP-TLS, EAP-TTLS, and EAP-PEAP.

EAP-TLS – Transport Layer Security

EAP TLS is one of the most commonly implemented EAP type for securing wireless LANs (Wi-Fi) through a RADIUS Server. In a Wi-Fi environment, the workstation must have a certificate that the RADIUS server can validate. Likewise, the RADIUS server must have a certificate that the workstation can validate. This is referred to mutual authentication. This is only true if both parties can validate the other’s certificate. This is typically done by having both certificates issued by one Certificate Authority (CA), and for each party to have the CA’s certificate.

Pros:

• Client is included in Windows Vista, XP, 2000 SP3
• EAP-TLS is resilient to man-in-the-middle attacks
• It provides explicit mutual authentication between the workstation and RADIUS server

Cons:

• Requires the complexity and expense of a CA to support the workstation and RADIUS server authentication
• Certificates are required on both the client and RADIUS server
• Requires certificate distribution and administration

EAP-TTLS – Tunneled Transport Layer Security

EAP-TTLS is an authentication protocol that uses TLS to provide a secure channel for traditional authentication methods like CHAP, MS-CHAP, MS-CHAP-V2, and MD5-Challenge. This reduces the certificate requirements and can leverage legacy RADIUS authentication methods.

Pros:

• Certificates are only required on the RADIUS server

Cons:

• Most clients are proprietary and cost between $25-$50
• Requires server certificate distribution and administration
• Requires the complexity and expense of a certificate authority for RADIUS server authentication

EAP-PEAP – Protected Extensible Authentication Protocol

EAP-PEAP is an authentication protocol backed by Microsoft, Cisco and RSA Security. PEAP extends TLS to carry an EAP exchange. Once the initial TLS exchange authenticates the RADIUS server to the workstation, any other EPA method can be used to authenticate the workstation to the RADIUS server. Thus, traditional EAP methods like MD5 or MS-CHAP can be used in conjunction with EAP-PEAP.

Pros:

• Server certificates are included in Windows XP, 2000

Cons:

• Requires server certificate distribution and administration
• Requires the complexity and expense of a certificate authority for RADIUS server authentication

Table 1 – Authentication Protocol Comparison

Issue	EAP-TLS	EAP-TTLS	EAP-PEAP
Client Certificates	Yes	Optional	Optional
RADIUS Server Certificates	Yes	Yes	Yes
Supported Authentication Database	Active Directory	Active Directory, NT Domains, Tokens, LDAP, SQL, RADIUS	Active Directory, NT Domains, Tokens1, LDAP1, SQL1,
Dynamic Key Exchange	Yes	Yes	Yes
Mutual Authentication	Yes	Yes	Yes
Client OS Support	Windows XP, 2000, Linux	Windows 98, ME, 2000, XP, CE	Windows XP
Access Point Support	Any that support 802.1x	Any that support 802.1x	Any that support 802.1x

¹ Cisco’s version of PEAP Only