EAP-TLS ========== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-TLS?** EAP-TLS stands for Extensible Authentication Protocol - Transport Layer Security. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-TLS?** EAP-TLS is an authentication protocol that uses Transport Layer Security (TLS) to provide strong mutual authentication between a client and a server using digital certificates. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-TLS useful?** * Provides strong security through mutual authentication. * Uses digital certificates to eliminate the need for passwords. * Widely supported and standardized. * Protects against man-in-the-middle attacks and replay attacks. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * Client and server exchange certificates during the TLS handshake. * Both verify each other’s certificates. * A secure TLS tunnel is established. * Session keys are generated for further encrypted communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-TLS used?** * Enterprise Wi-Fi networks (WPA-Enterprise). * VPN authentication. * Any environment requiring strong certificate-based authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** * Application Layer (Layer 7) of the OSI model. * Operates within the EAP framework transported over network layers. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TLS windows specific?** * No, it is platform-independent. * Supported on Windows through native supplicants and third-party software. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TLS Linux Specific?** * No, it’s supported widely on Linux via `wpa_supplicant` and other tools. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-TLS?** * Runs over EAP, which is commonly encapsulated over: * EAPOL (Ethernet) * RADIUS (UDP) * Diameter (TCP/SCTP) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-TLS?** * RADIUS authentication: UDP port 1812 * Diameter (if used): TCP port 3868 .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TLS using Client server model?** * Yes. * Client (supplicant) and Authentication Server (e.g., RADIUS). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TLS protocol uses certificates?** * Yes, both client and server use X.509 certificates for mutual authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-TLS protocol?** * Approximately 10–12 EAP message exchanges depending on TLS handshake details. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TLS Protocol uses client certificates?** * Yes, client certificates are mandatory for authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TLS Protocol uses Server Certificates?** * Yes, server certificates are mandatory. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TLS Protocol depends on TCP?** * Indirectly, if Diameter backend is used. * EAP itself is transport agnostic. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TLS Protocol depends on UDP?** * Yes, typically when using RADIUS backend (UDP). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-TLS Protocol?** * Supplicant (client) * Authenticator (e.g., AP) * Authentication Server (e.g., FreeRADIUS) * Certificate Authority (CA) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TLS Protocol work with free radius server on Linux?** * Yes, FreeRADIUS has robust EAP-TLS support. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TLS Protocol work with Internal radius server of hostapd?** * No, hostapd’s internal radius server does not support EAP-TLS. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version use for EAP-TLS Protocol?** * RFC 5216 .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EPoL Packets are encrypted?** * EAPOL packets themselves are not encrypted. * After key derivation, subsequent data packets are encrypted. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-TLS Protocol?** * Client initiates EAP identity. * Server requests TLS handshake. * Client and server exchange certificates. * TLS session is established and keys are generated. * Server sends EAP Success. * Session keys (MSK) are handed over to authenticator for encryption. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** * Generation of Master Session Key (MSK) and Extended MSK (EMSK). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generate after the connection procedure?** * MSK: 64 bytes (512 bits) * EMSK: 64 bytes (512 bits) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where the use of PMK generated by the Connection Procedure?** * PMK (Pairwise Master Key) is derived from MSK and used in 4-way handshake for encrypting wireless data. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_TLS Version&IEEE Details ` * :ref:`EAP_TLS FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up FreeRADIUS ` * :ref:`STEP 2: Bring up AP ` * :ref:`STEP 3: Bring up STA ` * :ref:`EAP_TLS FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_TLS Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_TLS Protocol Packet Details ` * :ref:`EAP_TLS Usecases ` * :ref:`EAP_TLS Basic Features ` * :ref:`Reference links ` .. _EAP_TLS_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_TLS_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_TLS_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_TLS_step5: .. tab-set:: .. tab-item:: EAP_TLS Version&RFC Details * rfc details .. _EAP_TLS_step18: .. tab-set:: .. tab-item:: EAP_TLS FreeRadius Basic Setup on Ubuntu (2 Machines) .. _EAP_TLS_step23: .. tab-set:: .. tab-item:: STEP 1: Bring up FreeRADIUS .. csv-table:: :file: ./EAP_TLS/eap_tls_freeradius_server.csv :class: tight-table .. _EAP_TLS_step21: .. tab-set:: .. tab-item:: STEP 2: Bring up AP using hostapd .. csv-table:: :file: ./EAP_TLS/eap_tls_ap_hostapd.csv :class: tight-table .. _EAP_TLS_step22: .. tab-set:: .. tab-item:: STEP 3: Bring up STA .. csv-table:: :file: ./EAP_TLS/eap_tls_station_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark output * Download file to check wireshark output :download:`Packet capture in EAP-TLS ` .. _EAP_TLS_step19: .. tab-set:: .. tab-item:: EAP_TLS FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_TLS_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_TLS_step6: .. tab-set:: .. tab-item:: EAP_TLS Protocol Packet Details * packet details .. _EAP_TLS_step7: .. tab-set:: .. tab-item:: EAP_TLS Usecases * usecases .. _EAP_TLS_step8: .. tab-set:: .. tab-item:: EAP_TLS Basic Features * features .. _EAP_TLS_step17: .. tab-set:: .. tab-item:: Reference links * Reference links