EAP-PEAP vs EAP-TLS vs EAP-TTLS vsQuestion Description:
I'm having troubles understanding the differences between the 3.
As far as I understand, with EAP-TLS, the client (peer) and the server (authenticator) both need a certificate. The authentication is done by performing basically a TLS handshake (which guarantees that the client is who he claims to be)
On the other hand EAP-TTLS, client authentication seems optional according to the RFC and the TLS handshake is only done to create a secure tunnel which can be used to perform other authentication methods. Is that right?
And how do I compare PEAP vs EAP-TLS? To my understanding, it does basically the same thing.
On EAP-TLS you are right, both sides require a certificate. With a client-side certificate, a compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side certificate.
On EAP-TTLS, you are right again. After the server is securely authenticated to the client via its CA certificate and optionally the client to the server, the server can then use the established secure connection ("tunnel") to authenticate the client.
PEAP is an encapsulation, is not a method, but you are almost right again. PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server. It then creates an encrypted TLS tunnel between the client and the authentication server. The difference between PEAP vs EAP-TLS is: PEAP is a SSL wrapper around EAP carrying EAP. TTLS is a SSL wrapper around diameter TLVs (Type Length Values) carrying RADIUS authentication attributes.