The Different Flavors of EAP
The brain behind 802.1X authentication is actually the Extensible Authentication Protocol (EAP). There are many types or favors of EAP. The type an organization should use depends upon the desired level of security, desired complexity, and the server/client specs.
Here are the most popular types:
- PEAP (Protected EAP): This method is one of the most popular and easy-to-implement EAP types. It authenticates end-users via usernames and passwords they must enter when connecting to the network.
- The authentication server can also be validated during PEAP authentication when an SSL certificate is installed on the server. This type is supported by default in Windows.
- TLS (Transport Layer Security): This type is one of the most secure flavors, but takes more to implement and maintain. Both client and server validation is done via SSL certificates. Instead of providing a username and password when connecting, end-user devices or computers must have a SSL certificate file loaded into its 802.1X client.
- TTLS (Tunneled TLS): An improved version of TLS that doesn't require client-side security certificates, reducing overhead to manage the network. However, this EAP type doesn't have native support in Microsoft Windows; it requires a third-party client like SecureW2.
The administrators control the certificate authority (CA) and hand out the client certificates, giving administrators more control, but requiring more administrative time.