Home

EAPTTLS

EAP-TTLS, short for Extensible Authentication Protocol-Tunneled Transport Layer Security, is an authentication method used within the Extensible Authentication Protocol framework. It establishes a secure TLS tunnel between the client and the authentication server, and then performs user authentication inside that tunnel using another method. This tunnel protects inner credentials from eavesdropping and interception during transmission.

In a typical implementation, the client validates the server’s TLS certificate to ensure the server’s identity,

Security and configuration considerations are central to EAP-TTLS deployments. Correct operation requires proper certificate validation and

See also: EAP, EAP-TLS, PEAP, LEAP, 802.1X, WPA-Enterprise, RADIUS.

after
which
a
TLS
tunnel
is
created.
Within
the
tunnel,
the
client
and
server
negotiate
and
perform
an
inner
authentication
method,
which
can
be
a
password-based
scheme
or
other
token-based
method
such
as
PAP,
CHAP,
MS-CHAPv2,
or
Generic
Token
Card
(GTC).
EAP-TTLS
is
commonly
used
in
wireless
networks
(WPA-Enterprise)
and
in
VPN
deployments,
often
together
with
a
RADIUS
or
similar
backend.
up-to-date
TLS
configurations
to
prevent
man-in-the-middle
attacks.
The
security
of
the
inner
authentication
also
depends
on
the
chosen
method
and
its
resistance
to
offline
attacks.
Some
deployments
prefer
alternative
EAP
methods
with
different
security
properties,
such
as
PEAP
or
EAP-TLS,
but
EAP-TTLS
remains
a
viable
option
when
backward-compatible
inner
methods
are
needed.