Specifications
Cisco Systems, Inc.
All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 9 of 42
Figure4-3illustrates the detailsofEAP-TLSexchange. The figureshowsthat,as part oftheEAPrequest, the RADIUS
server provides its certificate tothe client and requests the client’s certificate. The clientvalidates the server certificate
and responds with an EAP response message containing its certificate and also starts the negotiation for
cryptographic specifications (cipher and compression algorithms). After the client’s certificate is validated, the server
responds with cryptographic specifications for the session.
Figure 4-3
EAP-TLS Authentication in Detail
4.2.2 Understanding the Trust Model in EAP-TLS
Before you configure EAP-TLS, you should understand the trust model you are going to implement.
4.2.2.1 Client Trusting Server
This part will help you understand the concept of the client side trust model. Section 6 of this guide provides specific
configuration information.
In the client (for example, Microsoft Windows XP), you must configure one root certification authority. Using this
root certification authority the client can validate the AAA server (for example, Cisco Secure ACS). For the XP client,
no CTL exists. Specify one specific certification authority.
The certification authority youspecifyto trust can be public or private. If you decide tousea public root certification
authority, it is important to understand that you have no control over it. An alternative is to use a private root
certification authority for EAP-TLS deployment in your enterprise network. This allows you to build a PKI
infrastructure based on a root certification authority sever and possibly several subcertification authority servers (as
needed) to issue certificates to both the clients and the AAA servers. (A subcertification authority is a certification
authority that is slaved to the root certification authority and unloads some of the burden of certificate processing.)
Enterprise
Network
Supplicant
RADIUS
Server
Access
Point
[EAP-Type=EAP-TLS,
Start bit set, no data]
[EAP-Type=EAP-TLS
(TLS client_hello)]
[EAP-Type=EAP-TLS]
[EAP-Type=EAP-TLS
(TLSchange_cipher_spec,
TLS finished)]
[EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate, TLS
server_key_exchange,
TLS certificate_request,
TLS server_hello_done)]
[EAP-Type=EAP-TLS
(TLS certificate,
TLS client_key_exchange,
TLS certificate_verify,
TLS change_cipher_spec,
TLS finished)]
EAP-TLS Start
EAP-Response
EAP-Request
EAP-Response
EAP-Request
EAP-Success
EAP-Response