Questions about EAP-TLS

mramadany mramadany1 at
Thu Oct 8 18:52:29 CEST 2020

Hello everyone, I've recently set-up EAP-TLS on my home access point using freeradius, it works perfectly fine and everything went smoothly. However, I have some questions regarding the protocol and I hope someone on this list will clear things up for me:

1- Before the supplicant sends any certificates to the server, it usually verifies the server's identity.

After it does, how can it ensure that it's still talking to the correct server for further communication, does it establish a tunnel after verifying the server's identity?

2- If the above case is correct and it does establish a tunnel, what if the supplicant doesn't verify the server's identity. Does it establish a tunnel using whatever certificate that the server presents? Does it not establish a tunnel at all and simply sends further messages using plaintext?

In Android for example, if you choose to not verify the server's identity, it warns: "No certificate specified. Your connection will not be private". What does it mean here? Does it mean that it's potentially not private because an attacker might impersonate the server because it'll accept whatever cert the server provides? If that's the case, then why does authentication with this method generate way fewer lines in `radiusd -X`?

RFC 5216 Section 2.1.4 says that privacy (protecting client certificate information and stuff like that) is optional, yet Section 5.5 says that there's integrity protection in the protocol. How does that work if the privacy mode is optional? Does the supplicant sign the information somehow without encrypting it?

3- Since the privacy mode is optional, does freeradius enable it by default? If not, how do I enable it?

4- After the client has been authorized, what happens exactly? How is the shared symmetric key derived? How is it passed along to the Access Point/Client so that it can receive/send data from/to the supplicant (since the RADIUS server's part ends after doing the authentication)?

(Resending because my last e-mail doesn't seem to be posted)

More information about the Freeradius-Users mailing list