Product and Software: This article applies to all Aruba Mobility Controllers and ArubaOS 3.1 and later.
No, EAP-TLS termination does not require inner EAP type.
Unlike EAP-PEAP, which requires inner EAP type to authenticate the client, EAP-TLS requires a client certificate and archives mutual authentication by using the server certificate and client certificate.
However, after the client certificate is verified and TLS phase 1 is completed, the CN name of the certificate is passed to the control path to do a user query. This is a query and not an authentication request. A backend server is required that has the user record for the controller to query. When the query returns with a success, then the EAP-success message is sent, followed by the keys.
So in a summary, to enable EAP-TLS termination:
- No inner EAP type is required.
- A backend server that has the record that matches the certificate CN name is required. The controller will only verify the existence of this user instead of authenticating this user against this backend server.