Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1364
Views
0
Helpful
2
Replies

PEAP-EAP-TLS vrs. EAP-TLS

Andrew.Hanson
Level 1
Level 1

‎02-21-2006 03:36 PM - edited ‎07-04-2021 11:40 AM

Hello All,

I've read an article by George Ou and he mentions that a main difference between PEAP-TLS and EAP-TLS is that the client certificate in PEAP-TLS is partially encrypted and EAP-TLS does not. Does this simply mean that the certificate in PEAP-TLS cannot be exported where EAP-TLS can? Can anyone shed more information on the differences between these two EAP methods? I know PEAP-TLS is only supported by Microsoft.

TIA,

Andrew

Labels:
0 Helpful
2 Replies 2

jcornford
Level 1
Level 1

‎02-22-2006 10:05 AM

I just found the doc I think you've read on the web. It's pretty good.

What he's talking about is that when you initially authenticate, PEAP-EAP-TLS establishes a TLS tunnel before sending any authentication credentials. Straight EAP-TLS does it's first phase in the clear, so certain information is visable. It's not really anything to do with whether a certificate is exportable or not on the client device (which is what I think you mean). I think I've got that right, but I'm going from memory.

Differences? Basically the most secure method is PEAP-EAP-TLS (PEAP-GTC is good too). EAP-TLS is almost as good, and PEAP-MSCHAPv2 is a weaker. PEAP is Mircosoft's implementation that encapsulates other EAP types. Other vendors do sometimes write PEAP functions into there software, so it's not only supported by Microsoft, but you need to check on a device by device basis as they don't always support all functions. e.g. Cisco adapters support PEAP-MSCHAPv2 and PEAP-GTC, and EAP-TLS directly in the ADU utility. But they only support raw EAP-TLS as far as I know (unless anybody knows different?). i.e. they don't support PEAP-EAP-TLS. You need to use XP Zero instead.

0 Helpful

Andrew.Hanson
Level 1
Level 1
In response to jcornford

‎02-22-2006 02:43 PM

Thanks for answerign the post! There isn't alot of documentation regarding PEAP-TLS.

Here is his quote from the document:

"PEAP-EAP-TLS is an improved version of the original EAP-TLS protocol that goes further to encrypt client digital certificate information."

http://www.lanarchitect.net/Articles/Wireless/SecurityRating/

It really sounds like he's talking about the certificate that exists locally. I was hoping to find out how ecrypting them locally would affect exportation of these certificates.If I'm wrong, wouldn't the TLS tunnel built using the server's certificate just be hiding the user ID (or machine ID)? Is that the only benefit?

Your right about Cisco not supporting PEAP-TLS.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card