Hi Kevin Its true that TTLS does not require a cert on the client.
I guess the theory is that the server authenticates itself to the client by virtue of the fact that it has a valid server certificate, and then the client authenticates itself to the server by virtue of the fact that it has the correct users password. All the authentication traffic between client and server (including over-the-air) is encrypted inside TLS (which is basically the same as SSH). Cheers. On Thu, 5 Dec 2002 13:37, Kevin Arima wrote: > On Thu, 5 Dec 2002, Mike McCauley wrote: > > Many low-end wireless AP's still only provide MAC address authentication > > (either internally or to a Radius AAA server), but there are more and > > more APs coming that support 802.1x EAP authentication to a Radius > > server. And there is now a wide range of wireless clients for different > > platforms that support one or more 802.1x EAP authentication protocols. > > Probably EAP-TTLS-* and EAP-PEAP are set to become the most popular. > > EAP-TLS has been available longer (on Windows and Linux), but it requires > > a PKI certificate to be installed on each wireless client, which is > > tedious. TTLS and PEAP only require a single certificate for the Radius > > server. > > I remember there being a problem with TTLS security because of lack > of certificate on the client machine. > > Kevin "Starfox" Arima -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. -- NYCwireless - http://www.nycwireless.net/ Un/Subscribe: http://lists.nycwireless.net/mailman/listinfo/nycwireless/ Archives: http://lists.nycwireless.net/pipermail/nycwireless/
