EAP-TLS is an authentication protocol that encapsulates a TLS connection inside EAP. This provides cryptographically secure mutual authentication for both clients and servers. With EAP-TLS, the identities of both the client and the server are established using digital certificates.
EAP-TLS can work in standalone mode, or be tunnelled inside of either PEAP or TTLS. The disadvantage to using EAP-TLS in standalone mode is that the client’s certificate is visible to eavesdroppers, which allows adversaries to see the names of your network users. When tunnelled inside of PEAP or TTLS, users’ identities are protected. The disadvantage to tunnelled EAP-TLS is that the server must perform two full TLS handshakes per authentication, which is costly in terms of server performance.
The EAP-TLS service controls the protocol only for standalone EAP-TLS. Tunnelled EAP-TLS must enabled or disabled using the PEAP and TTLS services.
You must add the authority certificate that is used to sign your user’s certificates in Elektron Settings’ Trusted Certificates pane. Elektron needs this certificate in order to authenticate your network users.
EAP-TLS requires each user to have her own digital certificate. This in turn leads to the need for a Public Key Infrastructure (PKI). Since the requirements of maintaining a PKI are substantial, most organizations opt instead to use either PEAP or EAP-TTLS, which require a digital certificate for the server only. With these protocols, users are typically authenticated using passwords rather than digital certificates, which is easier to integrate into an existing authentication infrastructure.