04-02-2019 01:09 PM
I'm really struggling to understand all possible wireless authentication methods. What I'm trying to achieve is wireless network access to iPhones and Android client devices that present a certificate to the server and have the user trust the server certificate it sends to the client. No usernames and passwords involved. The only method I'm aware of that will do this is EAP-TLS.
I'm seeing conflicting info that EAP-TLS is only supported on laptops and desktops even though I see an option for it in my iPhone. My two questions are these:
1. What is the expected behaviour with a connection if either the client or server certificate is rejected over EAP-TLS? Does communication end? That would be ideal.
2. What are all my wireless authentication methods. I know of PEAP (too weak), EAP-TLS, Captive Portal with usn/psw credentials, Radius with LDAP/AD. Am I missing any?
Solved! Go to Solution.
04-03-2019 02:20 AM
If an EAP-TLS authentication doesn't make it to the end (if it is either rejected or aborted), the encryption keys are not exchanged and the connection will never be established.
Basic wireless authentication is open, WPA3-OWE, WEP, WPA-PSK, WPA2-PSK, WPA3-SAE, WPA-Enterprise, WPA2-Enterprise, WPA3-Enterprise. All can be with or without a captive portal. And I may have missed even some. WPA3 is not widely supported yet on the client side.
Then on the Enterprise authentication, that is based on EAP which has many variants of which only EAP-PEAP-MSCHAPv2 and EAP-TLS are widely supported. For pure LDAP authentication, you will need EAP-GTC, but that is not widely supported. EAP-SIM/EAP-AKA is sometimes used in Service Provider networks. I think this Wikipedia page has a pretty good overview.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Re: Understanding Wireless Auth Methods Like EAP-TLS
04-03-2019 07:20 AM
Thanks! What we're trying to go to is a wireless solution that doesn't rely on username/password and instead wants things like certificates (EAP-TLS), ad username, or captive portal for guests. I'll look into them.