I am working with RADIUS authentication using EAP-TLS. I used self signed CA and Server/Client certificate to establish mutual authentication.
that being said, is it absolutely necessary to have both server and client certificate to establish TLS ? If so then how does browser authenticates with only server certificate?
also EAP-PEAP (mschapv2) uses only server certificate to establish secure tunnel.
What are the handshake messages between server and client by which encryption key is derived.
thanks,
With EAP-TLS client identity is transmitted to the server by a client cert so it can authorize the certificate authenticated user.
Normally with EAP-PEAP client validates the server identity via TLS just like browsing to a secure site in your browser.
Server then validates client identity using inner user/pass authentication protocol (MSCHAPv2..etc) just like entering your username and password to login to the secure site you browsed to.
When doing PEAP + inner authentication client certificate validation is not necessary and normally not done.
EAP-PEAP derives network session encryption keys from the TLS sessions master just like EAP-TLS. The keys derived as a result of inner MSCHAPv2 authentication are not used for session encryption.