IEEE 802.1X/EAP authentication in wireless networks
Although certificates are used extensively in many wireless networks with 802.1X/EAP, not all types of EAP use them. Here I will cover two that do and happen to be my favorites.
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and Protected Extensible Authentication Protocol (PEAP) both require the use of certificates. To use EAP-TLS, a certificate (a public key and a private key) must be installed on both the authentication server and the client. An authentication server pair of keys and a client pair of keys need to be generated first and signed using a public key infrastructure (PKI), then installed on the required server and/or client. On the client side, the keys can be issued for the computer (the term “machine certificate” is usually used) and/or for the user.
PEAP could be seen as compromise between EAP-TLS, which relies entirely on a certificate-based infrastructure, versus EAP-FAST, which does not require any certificate exchange between the client and the authentication server. With PEAP, a certificate is required, but only on the server side.
- SSL Myth Busting: A Two-Way Certificate Exchange Between a SOA Web Service and a Client Can Always Be Trusted. [False.] (vpnhaus.ncp-e.com)
- Certificates and Managing Expiration (netsecurityit.wordpress.com)