WLAN Security - EAP-TLS EAP-Identity exposed in the clear

Unanswered Question
Nov 7th, 2008

Hi Guys,

As a well known point on eap-tls, is the eap-identity message from (lets say) a workstantion is exposed in the clear and any packet capture can pick this up.

How does this affect organisations deploying eap-tls and are there any recommend mitigation techniques to use?

If you are using eap-tls, and active directory, this machine name could be in the CN, SAN comparison from the Cisco ACS to AD DC so could be a problem? Not sure?

But the underlying certificate exchange is the real security method here correct? So should I not worry about this?

Many thx and kind regards,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Scott Fella Fri, 11/07/2008 - 04:47

Certificate exchange is the real security method. Wireless clients to AP is protected by the type of encryption you use (WEP,WPA/TKIP,WPA2,AES). Then the authentication method is another layer depending on what you decide on. PEAP and EAP-TLS does send the username in clear text but hash the password. EAP-TTLS hashes both, but is not supported widely, unless you have certain radius servers that support this and client utility.

kfarrington Fri, 11/07/2008 - 05:04

Hi Fella, Excellent response.

So, Couple of points here :

We use EAP-TLS and WPA2/AES

EAP-TLS = Authentication Layer only

WPA2/AES = Encrpytion Layer only

Is that correct?

Also, if correct

EAP-TLS Authentication Only

What does this authenticate in the certificate, and how?

All I know is that it is working and the client cert and ACS server cert are authenticating each other, and we have the ACS consulting the active directory DC with a CN, SAN or binary comparison

So the way I see it, there are two layers of authentication here

1st Layer

Laptop <---> ACS certificate verification/authentication (the two certs have some field in them that say they are linked) and are happy to proceed?

2nd Layer

The ACS-AD comparison, so if this field in the cert appears in an AD GPO, it allows access, if not, no eap-sucess messge is sent?

Can you clarify this as you have done a good job in explaing thus far?

Many thx indeed,


Gustavo Novais Fri, 11/28/2008 - 05:42


What happens in fact, is that the authentication is based on the certificate validity only. So if you havid a valid certificate (i.e. emitted from a CA that the ACS trusts) you will be authenticated. The ACS will do a further check for existence on the AD/external DB for the certificate fields, usually CN or SAN.

If successful, it will do all of the group matching stuff between AD and ACS security groups and return your authorization attributes all packed in a RADIUS-Accept message response.

Other Radiuses allow you to only match the certificate, not validating the common name or SAN field of the certificate, but I do think this is a not widely deployed option.



Scott Fella Sat, 11/29/2008 - 08:52

WPA2/AES is you encryption level and EAP-TLS is your authentication key management type. EAP-TLS uses and requires a server (radius) sided certificate along with a certificate on the user end device. The encryption layer is the WPA2/AES which is encrypted an decrypted by the AP. So this is the encryption between the client and the access point only. EAP-TLS is then used to authenticate using a radius server that will verify the policy of that NAS or policy that you create. Now depending on if you use a 3rd party certificate of an MS cert, then you also can and should validate the server certificate on the client. MS certs can be done by GPO, but if using a third party cert, you need to enable the correct CA on the client which can also be pushed through GPO.


This Discussion



Trending Topics - Security & Network