EAP-TTLS-EAP-TLS ================= .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-TTLS-EAP-TLS?** Extensible Authentication Protocol - Tunneled Transport Layer Security - Extensible Authentication Protocol - Transport Layer Security. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-TTLS-EAP-TLS?** EAP-TTLS-EAP-TLS is an authentication method where a secure TLS tunnel is established using EAP-TTLS, and inside this tunnel, a client and server perform mutual certificate-based authentication using EAP-TLS. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-TTLS-EAP-TLS useful?** - Provides strong mutual authentication with certificates. - Protects credentials by performing client auth inside an encrypted tunnel. - Offers enhanced security compared to password-only methods. - Prevents credential interception and man-in-the-middle attacks. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** 1. The client and server first establish a secure TLS tunnel using EAP-TTLS with server-side certificate verification. 2. Inside this tunnel, the client and server perform a second TLS handshake using EAP-TLS to exchange certificates and mutually authenticate. 3. Once authenticated, keys are derived for secure communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-TTLS-EAP-TLS used?** - Enterprise wireless networks requiring strong certificate-based authentication. - VPNs where mutual TLS authentication is required. - Networks seeking to combine tunneled EAP-TTLS security with full client certificate authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** - Application Layer (Layer 7). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-EAP-TLS Windows specific?** - No, it is supported across Windows platforms but may require proper configuration. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-EAP-TLS Linux Specific?** - No, it is widely supported by Linux supplicants such as wpa_supplicant. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-TTLS-EAP-TLS?** - EAPOL for client-authenticator communication. - RADIUS over UDP between authenticator and authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-TTLS-EAP-TLS?** - UDP port 1812 (RADIUS Authentication). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-EAP-TLS using Client server model?** - Yes, it involves supplicant (client), authenticator (access point), and authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-EAP-TLS protocol uses certificates?** - Yes, both client and server certificates are used for mutual authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-TTLS-EAP-TLS protocol?** - Multiple frame exchanges including the TLS handshake for EAP-TTLS tunnel and a second TLS handshake inside for EAP-TLS; total frames can be 30-50 or more. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-EAP-TLS Protocol uses client certificates?** - Yes, client certificates are required inside the EAP-TLS phase. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-EAP-TLS Protocol uses Server Certificates?** - Yes, server certificates are used both in the outer EAP-TTLS tunnel and inner EAP-TLS authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-EAP-TLS Protocol depends on TCP?** - Not directly; EAP and EAPOL are Layer 2 protocols. - TLS handshakes occur inside EAPOL frames. - RADIUS uses UDP transport. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-EAP-TLS Protocol depends on UDP?** - Yes, RADIUS communicates over UDP (default port 1812). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-TTLS-EAP-TLS Protocol?** - Client/Supplicant. - Authenticator (Access Point). - Authentication Server with certificate support (e.g., FreeRADIUS). - Certificate Authority (CA). - Packet analysis tools for troubleshooting. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-EAP-TLS Protocol work with free radius server on Linux?** - Yes, FreeRADIUS supports EAP-TTLS with inner EAP-TLS authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-EAP-TLS Protocol work with Internal radius server of hostapd?** - Internal RADIUS in hostapd has limited support; external RADIUS is recommended. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version used for EAP-TTLS-EAP-TLS Protocol?** - EAP-TTLS is defined in RFC 5281. - EAP-TLS is defined in RFC 5216. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EPoL Packets are encrypted?** - All inner EAP-TLS messages are encrypted inside the EAP-TTLS TLS tunnel. - Outer TLS handshake packets are initially unencrypted until the tunnel is established. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-TTLS-EAP-TLS Protocol?** 1. Outer TLS handshake to establish EAP-TTLS tunnel with server certificate verification. 2. Inside this tunnel, an inner TLS handshake using EAP-TLS protocol is performed for mutual client-server certificate authentication. 3. Once mutual authentication succeeds, session keys and PMK are derived. 4. Client and authenticator perform the 4-way handshake using the PMK. 5. Secure communication begins with derived session keys. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** - Successful mutual authentication. - Derivation of Pairwise Master Key (PMK). - Enabling of encrypted wireless link. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generated after the connection procedure?** - A 256-bit Pairwise Master Key (PMK). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is the use of PMK generated by the Connection Procedure?** - The PMK is used in the 4-way handshake to derive temporal session keys (PTK) for encrypting wireless data traffic between client and access point. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_TTLS_EAP_TLS Version&IEEE Details ` * :ref:`EAP_TTLS_EAP_TLS FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up FreeRADIUS ` * :ref:`STEP 2: Bring up AP ` * :ref:`STEP 3: Bring up STA ` * :ref:`EAP_TTLS_EAP_TLS FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_TTLS_EAP_TLS Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_TTLS_EAP_TLS Protocol Packet Details ` * :ref:`EAP_TTLS_EAP_TLS Usecases ` * :ref:`EAP_TTLS_EAP_TLS Basic Features ` * :ref:`Reference links ` .. _EAP_TTLS_EAP_TLS_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_TTLS_EAP_TLS_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_TTLS_EAP_TLS_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_TTLS_EAP_TLS_step5: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_TLS Version&RFC Details * rfc details .. _EAP_TTLS_EAP_TLS_step18: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_TLS FreeRadius Basic Setup on Ubuntu (2 Machines) .. _EAP_TTLS_EAP_TLS_step23: .. tab-set:: .. tab-item:: STEP 1: Bring up FreeRADIUS .. csv-table:: :file: ./EAP_TTLS_EAP_TLS/eap_ttls_eap_tls_freeradius_server.csv :class: tight-table .. _EAP_TTLS_EAP_TLS_step21: .. tab-set:: .. tab-item:: STEP 2: Bring up AP using hostapd .. csv-table:: :file: ./EAP_TTLS_EAP_TLS/eap_ttls_eap_tls_ap_hostapd.csv :class: tight-table .. _EAP_TTLS_EAP_TLS_step22: .. tab-set:: .. tab-item:: STEP 3: Bring up STA .. csv-table:: :file: ./EAP_TTLS_EAP_TLS/eap_ttls_eap_tls_station_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark output * Download file to check wireshark output :download:`Packet capture in EAP-TLS ` .. _EAP_TTLS_EAP_TLS_step19: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_TLS FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_TTLS_EAP_TLS_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_TTLS_EAP_TLS_step6: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_TLS Protocol Packet Details * packet details .. _EAP_TTLS_EAP_TLS_step7: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_TLS Usecases * usecases .. _EAP_TTLS_EAP_TLS_step8: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_TLS Basic Features * features .. _EAP_TTLS_EAP_TLS_step17: .. tab-set:: .. tab-item:: Reference links * Reference links