How do eap and eap tls differs?

Question

I understand that eap tls is a transport layer security function. But even after searching in google some lack of clarity remains.

Is the eap tls a special implementation of the general eap protocol definition? Or eap tls is another layer above the eap , as in a protocol stack?

What eap does? Is it just a message framing protocol for eap tls?

Answer 1

TLS is most often used for two reasons. The client wants to insure that is communicating with the correct server, and that the communication between these two nodes is a secret. In vanilla (non-EAP) SSL/TLS you can still authenticate the client using a private key. However in practice it is difficult for a user to keep track of a private key (Usually a client is issued a smart card). Authenticating with a private key alone may not be appropriate for the situation.

However, lets say a corporation wants to authenticate its employees for access to its VPN or Wireless Network. Fundamentally this entity wants to control who has access to this transport layer (osi layer 4). A common use of TLS-EAP is that it allows an entity to use a Radius Authentication Server with an LDAP backend to authenticate its employees with a username a password. For added security the corporation could employe multi-facotor authentication, where an iris scan, a smart card with a private key and password is required. EAP, is the "Extensible Authentication Protocol" and you can choose what authentication system to use. Its not always stronger, there could be a vulnerability in the Radius server that allows the client to authenticate.

Hell if you write the code for it, you could use EAP-TLS to create some authentication system for your network involving a flair gun, smoke signals and a special handshake. From EAP-TLS's perspective the means of authentication is totally arbitrary.