EAP-TLS Overview
Introduction
EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) provides the highest security for 802.1X authentication using X.509 certificates for both client and server authentication.
How It Works
Client ISE
│ │
│──── EAPOL-Start ─────────────────────>│
│ │
│<──── EAP-Request/Identity ────────────│
│ │
│──── EAP-Response/Identity ───────────>│
│ (username or cert CN) │
│ │
│<──── EAP-Request/TLS Start ───────────│
│ │
│──── TLS Client Hello ────────────────>│
│ │
│<──── TLS Server Hello + Certificate ──│
│ + Certificate Request │
│ │
│──── TLS Client Certificate ──────────>│
│ + Client Key Exchange │
│ │
│<──── TLS Finished ────────────────────│
│ │
│──── EAP-Response/TLS Finished ───────>│
│ │
│<──── EAP-Success ─────────────────────│Advantages
-
No passwords - Eliminates credential theft risk
-
Mutual authentication - Both client and server verified
-
Seamless - No user interaction after certificate enrollment
-
Phishing resistant - Can’t be tricked into revealing credentials