If EAP-TTLS is a EAP method that establishes a TLS tunnel, what goes in the tunnel? It could be another EAP method, but it could also be PAP. What decides? The server, the supplicant, or do they somehow negotiate? How does this phase of the protocol work?
Asked
Active
Viewed 194 times
1 Answers
1
What it decides is what the clients can speak. This is accomplished in the last step of phase 1 in EAP namely the ChangeCipherSpec.
An easy example: The client wants to authenticate and can only speak PAP, then the server will select PAP because the server itself can also speak PAP. If a client can speak other "protocols" the most secure protocol will be used.
timmeyh
- 968
- 1
- 6
- 25
-
Which protocol defines ChangeCipherSpec? I see references in RFC 5281 (EAP-TTLS) but it doesn't seem to define it. How does the client know what methods the server can speak? What I want to accomplish here is EAP-TTLS/PAP, but when I've tested clients they offer EAP-TTLS/MS-CHAPv2. I can go to each client and reconfigure the supplicant, but I'd like to avoid that. – Phil Frost Mar 28 '13 at 21:20