EAP-TLS.

An EAP authentication method (RFC 5216) that mutually authenticates an 802.1X supplicant and a RADIUS server with X.509 certificates over a TLS handshake — the gold standard for enterprise Wi-Fi and wired NAC. It belongs to the Network Security category of cybersecurity.

An EAP authentication method (RFC 5216) that mutually authenticates an 802.1X supplicant and a RADIUS server with X.509 certificates over a TLS handshake — the gold standard for enterprise Wi-Fi and wired NAC.

EAP-TLS, defined in RFC 5216, is the EAP method used by 802.1X-authenticated networks (enterprise Wi-Fi, wired NAC) to mutually authenticate a supplicant (client) and an authentication server (typically RADIUS) using X.509 certificates. The handshake is essentially a TLS handshake tunnelled inside EAP frames between the supplicant and the RADIUS server (with the access point or switch acting as transparent authenticator), with both parties presenting client and server certificates. Because there is no password to phish, lose, or reuse, EAP-TLS is widely considered the gold standard for enterprise network access — it eliminates entire classes of attacks (Evil Twin / Karma password-stealing rogue APs, MS-CHAP downgrade, RADIUS shared-secret abuse) and provides phishing-resistant authentication at the L2/L3 boundary. Operational cost is higher than EAP-PEAP-MSCHAPv2 because it requires PKI: issuing, distributing, renewing, and revoking client certificates for users and devices, typically via Intune SCEP/NDES, Jamf, AD CS, or a SaaS PKI. EAP-TLS is required by many zero-trust network-access designs and recommended by NCSC, CISA, and SANS for wireless authentication.

Defences for EAP-TLS typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: RFC 5216, 802.1X EAP-TLS.