Specifications
Cisco Systems, Inc.
All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 8 of 42
As opposed to the one-way, or server-side, authentication discussed in the Amazon.com example, EAP-TLS performs
mutual SSL authentication. This requires both the supplicant (the end user’s machine) and the authentication server
(the RADIUS server) to have a certificate. In mutual authentication, each side is required to prove its identity to the
other using its certificate and its private key. The procedure is the same explained in the Amazon example, but for
both sides.
4.2.1 How EAP with TLS Works
Aspreviouslymentioned,EAP-TLSauthenticationisbasedon 802.1x/EAP architecture. Components involved in the
802.1x/EAP authentication process are: supplicant (the end entity, or end user’s machine), the authenticator (the
access point), and the authentication server (back-end RADIUS server). The supplicant and the RADIUS server must
support EAP-TLS authentication. The access point has to support the 802.1x/EAP authentication process. (The
access point is not aware of the EAP authentication protocol type.)
Figure 4-2 illustrates the overall 802.1x/EAP authentication process with EAP-TLS as the authentication protocol.
Note that LEAP and EAP MD5 also use the same 802.1x/EAP authentication process.
Figure 4-2
EAP-TLS Authentication Overview
Enterprise
Network
Supplicant
EAP Request/Identity
EAPOL-Key (Multicast)
EAPOL-Key (Session
Parameters)
EAP Response/Identity
(UserID)
RADIUS
Access Request
RADIUS Access Success
(Pass Session Key to AP)
Perform Sequence
Defined by EAP TLS
Access Request
with UserID
Client derives
session key
RADIUS
Server
Access
Point
EAPOL Start
Key
Key
Server-side TLS
Client-side TLS
Ask Client for Identity
Deliver Broadcast Key
Encrypted with Session Key
&& Session Parameters
Start EAP Authentication
EAP Success