A recent study of penetration testing projects from Positive Technologies has revealed that cyber attackers can target up to 93 percent of a company’s assets within 48 hours of the attack. It also confirmed “credentials compromise” as one of the leading factors for successful breaches inside a network.
Since you are here, the chances are fair that you are concerned about your company’s network security and looking to explore more robust defenses, and even if you are not, we suggest it’s high time you do so.
While there are numerous protocols to choose from for your organization’s WPA2-Enterprise network security, the Extensible Authentication Protocols (EAP) are the most common. Here we will compare the two most widely used EAP protocols and help you decide on the better one for your organization.
What is Extensible Authentication Protocol (EAP)?
The EAP authentication method utilizes an encrypted EAP tunnel to provide a safer path for communication between client and server. In this tunnel, a chain of trust is established between the server certificate, intermediate certificate, and the client by validating the server with the help of Root CA and the CN (Common Name) of the server certificate.
There are several methods for authentication under the EAP protocol, but the most common methods used in modern wireless networking are:
- EAP-TLS
- PEAP-MSCHAPV2
- EAP-TTLS/PAP
These protocols have varying levels of security, as illustrated in the table below:
WHAT’S THE DIFFERENCE BETWEEN EAP-TTLS AND EAP-TLS?
The primary difference between EAP-TTLS and EAP-TLS is that EAP-TLS requires both the client and the server to identify themselves with a certificate. In EAP-TLS, the authentication is performed by a TLS handshake that guarantees the client’s authenticity.
TLS handshake is a process that involves communication and negotiation between client and server on the sessions to perform the data exchange using encrypted keys. In this, both the peer and server must agree on the TLS protocol and cipher suite to verify digital certificates.
EAP-TLS process
In EAP-TTLS/PAP, the server mainly uses two phases, i.e., the TLS handshake and TLS tunnel phase, to establish a secure connection to the client. It only requires a server certificate, while the client authentication is optional according to the RFC standard.
During the TLS handshake phase, the TTLS server authenticates to the client using standard TLS procedures. In the tunnel phase, the client authenticates to the server using an arbitrary protocol within the encrypted tunnel which can be EAP, PAP, MS-CHAP, or so on.
EAP-TTLS process
Drawbacks of EAP-TTLS/PAP
EAP-TTLS/PAP uses Cleartext Credentials
EAP-TTLS/PAP is a credential-based authentication protocol that was initially designed to make the setup more accessible by requiring only the server to be authenticated, with client authentication being optional. Here, the credentials are delivered over the air in “clear text,” which means they are not encrypted and may be deciphered easily.
Compared to EAP-TLS, the cleartext format of messages in PAP is vulnerable because they are not encrypted; hence, hackers can cause trouble by caching even a single cleartext message in the entire system. A Man-In-The-Middle (MITM) attack is the most common way to attack EAP-TTLS/PAP networks.
EAP-TTLS/PAP is vulnerable to MITM Attacks
In MITM, the attacker usually sets up an Evil Twin Access Point and a RADIUS server, spoofing the desired SSID and sending out a powerful signal to trick users’ devices into connecting to a hostile SSID. Most devices are configured to connect to the strongest authorized WiFi signal and will automatically connect to the fake access point, giving hackers a chance to attack. In this manner, hackers can harvest dozens of credentials from unsuspecting victims.
EAP-TTLS/PAP requires complex Device Configuration
Also, the configuration process for EAP-TTLS/PAP might be a difficult task for the average network user. It requires advanced IT knowledge to finish self-enrollment, which can lead to improper settings configuration even with a detailed configuration guide. Leaving configuration to end-users is always a bad idea because a single misconfigured device can bring about a massive loss to the organization.
One of the other main protocols, PEAP-MSCHAPV2, also heavily depends on credentials and has known vulnerabilities. PEAP uses a modified TLS handshake and MSCHAPV2 for comparing credentials. Its encryption mechanism makes it easy for the attacker to decrypt the user credentials packets, making them vulnerable.
Advantages of EAP-TLS
EAP-TLS authentication is a certificate-based authentication system that utilizes X.509 digital certificates instead of credentials, providing an extra degree of cryptographic security. Asymmetric cryptography is an advanced cryptographic infrastructure that securely exchanges encrypted information publicly between two parties without the fear of interception.
Unlike symmetric encryption, where the exchange of private keys is mandatory to initiate communication between two parties, asymmetric encryption uses two pairs of public and private keys separately. The strength of the encryption makes it impossible to crack without knowing the hidden private key, so even intercepted communication is safe from prying eyes.
The other main advantages of EAP-TLS that stand out from the other protocols are-
- EAP-TLS is more suited for large organizations with many authentication events because its authentication flow is simpler than the alternatives. There are fewer chances for the RADIUS server to get overloaded and drop a connection, ultimately leading to a better user experience.
- Having fewer authentication steps also means you will be able to authenticate the network faster, again leading to a better user experience.
- One of the most significant benefits of EAP-TLS is that it can be extended to modern cloud infrastructures like Azure AD and Okta. Other auth protocols like TTLS/PAP were designed for on-premise environments and lack the support or rigor necessary for today’s cloud environment.
- Since EAP-TLS primarily deals with certificates, there is hardly any scope of downsides of passwords like password reset policies. If you choose a proficient certificate authority, then even the certificate management would be fully automatic and hassle-free for your enterprise.
Which EAP method to use?
It is evident that passwords have been a primary attack vector for cyberattacks in recent years. Moving away from password-based authentication may be the most impactful decision toward enhanced security for any enterprise.
EAP-TLS protocol, with its certificate-based authentication, is a notch above the others with its superior cryptographic protection. You just need a capable PKI and a reliable RADIUS solution to ease the entire EAP-TLS onboarding process. Securew2, with its managed cloud PKI, has helped many organizations switch to digital certificates with EAP-TLS.
We also provide many innovative onboarding solutions for both managed and unmanaged devices for organizations of varying sizes. Our dedicated support team is always eager to assist you in this journey of going passwordless with the EAP-TLS protocol. Click here to see our pricing.
