Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS)

Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS) is an authentication protocol used in wireless networks to provide a secure method for user authentication. It combines elements of EAP and TLS to create a secure tunnel for authentication, allowing for the use of various inner authentication methods.

EAP-TTLS establishes a secure TLS tunnel between the client and the authentication server. Unlike EAP-TLS, where both the client and server must present digital certificates, EAP-TTLS requires only the authentication server to have a digital certificate, making it more suitable for environments where client certificates are not practical or feasible.

The authentication process involves the following steps:

Tunnel Establishment: The client and the authentication server initiate the EAP-TTLS handshake. A secure TLS tunnel is established between them.
Phase 1 - Anonymous Authentication: In the first phase of the EAP-TTLS process, the client connects to the authentication server using anonymous credentials. This initial connection sets up the secure tunnel for subsequent authentication.
Phase 2 - Inner Authentication: Within the secure tunnel, the client and server perform the inner authentication process using a separate EAP method. This method can be EAP-MD5, EAP-MSCHAPv2, or any other EAP method supported by the server. The inner authentication provides a more robust and secure authentication exchange.
Success/Failure: If the inner authentication is successful, the authentication server sends an EAP Success message to the client. Otherwise, an EAP Failure message is sent.

EAP-TTLS is particularly useful in scenarios where a secure tunnel is needed to protect user credentials, but the use of client certificates is not practical. It provides a higher level of security than some other EAP methods like EAP-MD5, which do not offer the same level of encryption and security for the entire authentication process.