EAP Method Feature Comparison

The following is a comparison of the most common EAP methods deployed in the eduroam-US ecosystem.

EAP-Type Native Supplicant Support Pros Cons
EAP-TLS Windows (XP, Vista, 7), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+)
  • Validates client as well as infrastructure
  • Reduced risk of being Phished
  • Blocking user access is via certificate revocation
  • PKI infrastructure is required
  • Users must configure supplicant to use certificate*
  • Identity may be exposed in TLS exchange depending on contents of certificate
EAP-TTLS Windows (8, 10), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+)  
  • No native supplicant support on Microsoft Windows XP or 7
  • Potential for Man-in-the-Middle attacks*
EAP-PEAP Windows (XP, Vista, 7), Mac OS X, Linux, iOS (iPhone, iPod Touch, iPad), Android (v1.6+)
  • Works on many platforms
  • Potential for Man-in-the-Middle attacks*
  • Identity may be exposed during Phase-1 of exchange
  • This may be mitigated using configuration tools such as the iPhone Configuration Utility for iOS devices (iPhone, iPod Touch, iPad), Active Directory for Windows devices (XP, Vista), etc.
  • Man-in-the-Middle attacks may be perpetrated against any SSL/TLS protected service in which the used server certificates are not validated.  This validation comes from the signing Certificate Authority's (CA) certificate being in the root-store of a given device.  For common CAs the certificate is often bundled with the operating system.  If an institution opts to use either a CA which is not shipped with common OSs or their own CA which is not an intermediate CA for a well-known CA, then they must take the responsibility of distributing their CA certificate, and installing it correctly on end-user devices.  The same configuration tools discussed to mitigate the complexity of configuring TLS certificates for end-user devices may sometimes be used to install necessary CA certs for those devices, even while using EAP methods other than EAP-TLS (or PEAP-TLS).