The Elektron TTLS service implements the EAP Tunnelled Transport Layer Security protocol. TTLS is an authentication protocol developed as an alternative to EAP-TLS that doesn’t rely on digital certificates to validate client identities.
Like PEAP, TTLS is built on top of — and expands upon — EAP-TLS. When the client first connects to the Elektron server, a TLS handshake is performed. This has two functions: to prove the identity of the Elektron server (using its digital certificate), and to establish an encrypted channel for the inner authentication. This inner authentication proves the identity of the client.
The Elektron TTLS service supports a number of different methods for inner authentication. Among these are PAP, CHAP, MS-CHAP, MS-CHAP-V2, EAP-MS-CHAP-V2, EAP-MD5-Challenge, and EAP-TLS. For the TTLS service to run, at least one of these tunnelled authentication types must be allowed.