EAP-TLS.

An EAP authentication method (RFC 5216) that mutually authenticates an 802.1X supplicant and a RADIUS server with X.509 certificates over a TLS handshake — the gold standard for enterprise Wi-Fi and wired NAC. サイバーセキュリティの ネットワークセキュリティ カテゴリに属します。

An EAP authentication method (RFC 5216) that mutually authenticates an 802.1X supplicant and a RADIUS server with X.509 certificates over a TLS handshake — the gold standard for enterprise Wi-Fi and wired NAC.

EAP-TLS, defined in RFC 5216, is the EAP method used by 802.1X-authenticated networks (enterprise Wi-Fi, wired NAC) to mutually authenticate a supplicant (client) and an authentication server (typically RADIUS) using X.509 certificates. The handshake is essentially a TLS handshake tunnelled inside EAP frames between the supplicant and the RADIUS server (with the access point or switch acting as transparent authenticator), with both parties presenting client and server certificates. Because there is no password to phish, lose, or reuse, EAP-TLS is widely considered the gold standard for enterprise network access — it eliminates entire classes of attacks (Evil Twin / Karma password-stealing rogue APs, MS-CHAP downgrade, RADIUS shared-secret abuse) and provides phishing-resistant authentication at the L2/L3 boundary. Operational cost is higher than EAP-PEAP-MSCHAPv2 because it requires PKI: issuing, distributing, renewing, and revoking client certificates for users and devices, typically via Intune SCEP/NDES, Jamf, AD CS, or a SaaS PKI. EAP-TLS is required by many zero-trust network-access designs and recommended by NCSC, CISA, and SANS for wireless authentication.

EAP-TLS に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: RFC 5216, 802.1X EAP-TLS。