EAP-TTLS/EAP-OTP

What is Expansion of EAP-TTLS/EAP-OTP?

EAP-TTLS/OTP stands for Extensible Authentication Protocol – Tunneled Transport Layer Security with One-Time Password as the inner authentication method.

What is EAP-TTLS/EAP-OTP?

EAP-TTLS/OTP is an authentication method that establishes a secure TLS tunnel between the client and server using EAP-TTLS and then uses a One-Time Password (OTP) mechanism for client authentication within that tunnel.

Why is EAP-TTLS/EAP-OTP useful?

• Encrypts OTP credentials using TLS tunnel.

• Only server certificate is required.

• Supports flexible inner authentication methods.

• Suitable for legacy systems and multi-factor authentication.

• Reduces need for client-side certificate management.

How it works?

• TLS tunnel is established between client and server using server certificate.

• Inside the tunnel, the client sends OTP credentials (e.g., time-based or token-generated).

• Server validates the OTP via backend.

• On success, session keys are derived, and access is granted.

Where is EAP-TTLS/EAP-OTP used?

• Enterprise Wi-Fi networks.

• Secure remote access (VPNs).

• Authentication systems using soft/hardware OTP tokens (e.g., Google Authenticator, RSA SecurID).

Which OSI layer does this protocol belong to?

• Application Layer (Layer 7).

• Runs on top of EAP encapsulated in lower layer protocols.

Is EAP-TTLS/EAP-OTP Windows specific?

• No, it is platform-independent.

• Support may require third-party supplicants on Windows (e.g., SecureW2, Cisco AnyConnect).

Is EAP-TTLS/EAP-OTP Linux specific?

• No, supported on Linux using tools like wpa_supplicant and FreeRADIUS.

Which Transport Protocol is used by EAP-TTLS/EAP-OTP?

• EAP over: * EAPOL (Ethernet) * RADIUS (UDP) * Diameter (TCP/SCTP)

Which Port is used by EAP-TTLS/EAP-OTP?

• RADIUS: UDP port 1812

• Diameter: TCP port 3868

Is EAP-TTLS/EAP-OTP using Client server model?

• Yes.

• Client (supplicant) and Authentication Server via Authenticator (e.g., Access Point or switch).

Whether EAP-TTLS/EAP-OTP protocol uses certificates?

• Yes, server certificate is required.

• Client certificate is not required for OTP authentication.

How many frame exchanges are seen during connection for EAP-TTLS/EAP-OTP protocol?

• Typically 10–12 EAP messages, depending on TLS handshake and OTP exchange.

Whether EAP-TTLS/EAP-OTP Protocol uses client certificates?

• No, OTP method does not require client certificates.

Whether EAP-TTLS/EAP-OTP Protocol uses Server Certificates?

• Yes, a valid server certificate is essential to initiate the TLS tunnel.

Does EAP-TTLS/EAP-OTP Protocol depend on TCP?

• Indirectly, when Diameter is used.

• EAP-TTLS itself is transport independent.

Does EAP-TTLS/EAP-OTP Protocol depend on UDP?

• Yes, when RADIUS backend is used (which is typical).

What are the roles involved when testing EAP-TTLS/EAP-OTP Protocol?

• Supplicant (client)

• Authenticator (e.g., Access Point)

• Authentication Server (e.g., FreeRADIUS with OTP support)

• Certificate Authority (for server certificate)

Does EAP-TTLS/EAP-OTP Protocol work with FreeRADIUS server on Linux?

• Yes, FreeRADIUS fully supports EAP-TTLS and can integrate with OTP modules like Google Authenticator or OPIE.

Does EAP-TTLS/EAP-OTP Protocol work with internal RADIUS server of hostapd?

• No, hostapd’s internal RADIUS server does not support EAP-TTLS or OTP.

What is the RFC version used for EAP-TTLS/EAP-OTP Protocol?

• EAP-TTLS: Defined in RFC 5281.

• OTP methods: Follow RFC 2289 or proprietary implementations like TOTP (RFC 6238).

During Connection Procedure which EAPOL Packets are encrypted?

• EAPOL packets are not encrypted.

• Inner authentication (OTP) is encrypted inside the TLS tunnel established by EAP-TTLS.

Can you Explain different stages of Connection Procedure for EAP-TTLS/EAP-OTP Protocol?

• Client sends EAP Identity.

• Server initiates EAP-TTLS TLS handshake.

• TLS tunnel is established using server certificate.

• Client provides OTP credentials inside the tunnel.

• Server verifies OTP against backend.

• EAP Success is sent on successful auth.

• Keys are derived and handed to the authenticator.

What is the final output of Connection Procedure?

• Master Session Key (MSK) and Extended Master Session Key (EMSK) are generated.

What is the format of the key generated after the connection procedure?

• MSK: 64 bytes (512 bits)

• EMSK: 64 bytes (512 bits)

Topics in this section,

• Learnings in this section

• Terminology

• Version Info

• EAP_TTLS_EAP_OTP Version&IEEE Details

• EAP_TTLS_EAP_OTP FreeRadius Basic Setup on Ubuntu (2 Machines)

• EAP_TTLS_EAP_OTP FreeRadius Basic Setup on Ubuntu (3 Machines)

• EAP_TTLS_EAP_OTP Internal Radius Server Basic Setup on Ubuntu (2 Machines)

• EAP_TTLS_EAP_OTP Protocol Packet Details

• EAP_TTLS_EAP_OTP Usecases

• EAP_TTLS_EAP_OTP Basic Features

• Reference links

Learnings in this section

• In this section, you are going to learn

Terminology

• Terminology

Version Info

• Version Info

EAP_TTLS_EAP_OTP Version&RFC Details

• rfc details

EAP_TTLS_EAP_OTP FreeRadius Basic Setup on Ubuntu (2 Machines)

• setup

EAP_TTLS_EAP_OTP FreeRadius Basic Setup on Ubuntu (3 Machines)

• setup

Internal Radius Server Basic Setup on Ubuntu (2 Machines)

• setup

EAP_TTLS_EAP_OTP Protocol Packet Details

• packet details

EAP_TTLS_EAP_OTP Usecases

• usecases

EAP_TTLS_EAP_OTP Basic Features

• features

Reference links

• Reference links