EAP-TLS.

An EAP authentication method (RFC 5216) that mutually authenticates an 802.1X supplicant and a RADIUS server with X.509 certificates over a TLS handshake — the gold standard for enterprise Wi-Fi and wired NAC. Cette notion relève de la catégorie Sécurité réseau en cybersécurité.

An EAP authentication method (RFC 5216) that mutually authenticates an 802.1X supplicant and a RADIUS server with X.509 certificates over a TLS handshake — the gold standard for enterprise Wi-Fi and wired NAC.

EAP-TLS, defined in RFC 5216, is the EAP method used by 802.1X-authenticated networks (enterprise Wi-Fi, wired NAC) to mutually authenticate a supplicant (client) and an authentication server (typically RADIUS) using X.509 certificates. The handshake is essentially a TLS handshake tunnelled inside EAP frames between the supplicant and the RADIUS server (with the access point or switch acting as transparent authenticator), with both parties presenting client and server certificates. Because there is no password to phish, lose, or reuse, EAP-TLS is widely considered the gold standard for enterprise network access — it eliminates entire classes of attacks (Evil Twin / Karma password-stealing rogue APs, MS-CHAP downgrade, RADIUS shared-secret abuse) and provides phishing-resistant authentication at the L2/L3 boundary. Operational cost is higher than EAP-PEAP-MSCHAPv2 because it requires PKI: issuing, distributing, renewing, and revoking client certificates for users and devices, typically via Intune SCEP/NDES, Jamf, AD CS, or a SaaS PKI. EAP-TLS is required by many zero-trust network-access designs and recommended by NCSC, CISA, and SANS for wireless authentication.

Les défenses contre EAP-TLS combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.

Noms alternatifs courants : RFC 5216, 802.1X EAP-TLS.