EAP Method Feature Comparison

The following is a comparison of the most common EAP methods deployed in the eduroam-US ecosystem.

EAP-Type	Native Supplicant Support	Pros	Cons
EAP-TLS	Windows (XP, Vista, 7), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+)	Validates client as well as infrastructure Reduced risk of being Phished Blocking user access is via certificate revocation	PKI infrastructure is required Users must configure supplicant to use certificate^* Identity may be exposed in TLS exchange depending on contents of certificate
EAP-TTLS	Windows (8, 10), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+)		No native supplicant support on Microsoft Windows XP or 7 Potential for Man-in-the-Middle attacks^*
EAP-PEAP	Windows (XP, Vista, 7), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+)	Works on many platforms	Potential for Man-in-the-Middle attacks^* Identity may be exposed during Phase-1 of exchange

This may be mitigated using configuration tools such as the iPhone Configuration Utility for iOS devices (iPhone, iPod Touch, iPad), Active Directory for Windows devices (XP, Vista), etc.
Man-in-the-Middle attacks may be perpetrated against any SSL/TLS protected service in which the used server certificates are not validated. This validation comes from the signing Certificate Authority's (CA) certificate being in the root-store of a given device. For common CAs the certificate is often bundled with the operating system. If an institution opts to use either a CA which is not shipped with common OSs or their own CA which is not an intermediate CA for a well-known CA, then they must take the responsibility of distributing their CA certificate, and installing it correctly on end-user devices. The same configuration tools discussed to mitigate the complexity of configuring TLS certificates for end-user devices may sometimes be used to install necessary CA certs for those devices, even while using EAP methods other than EAP-TLS (or PEAP-TLS).

Table of Contents