How does the supplicant connect to the auth server in EAP TTLS?

I understand that a tls has to be established between the supplicant (end user device) and the auth server but a few things are unclear :

  1. How does the supplicant know the ip adress of the auth server ?
  2. The supplicant is not granted access yet it has to communicate with tls, does that mean it is granted a temporary local ip address and only requests to the auth server are forwarded via usual NAT by the access point ?
  3. How does the supplicant authenticate the server ? If I were connecting to a website, I would chech the common name (and that the chain is correct up to a root CA certificate I have), but what would the supplicant check for in common name (subject) ?

Wi-Fi – How do I connect to the 802.1x EAP Wi-Fi network from an Android 10 device?

My wifi uses 802.1x EAP with TLS. It works well with the old Android devices, but an Android 10 device pretends that it is trying to connect, and a few seconds later it marks the connection as disabled. In the radius logs absolutely nothing about failed connection attempts is noted.

The configuration is pretty much the same between this device and the older devices, with two differences:

  • safety The field is only available if I manually added the network. In this case there is no "802.1x EAP" but only "WEP", "WPA / WPA2-Personal" and "WPA / WPA2 / WPA3-Enterprise" Suppose I have to select the last one.

  • domain Field is added between CA certificate and user certificate, I've tried to keep it empty or enter the domain name of the company. The result is the same.

What can I do to understand why the device is not trying to communicate with the Radius server before the connection is marked as disabled?

JBoss EAP 7.2 installer for RHEL 7

We are currently trying to set up JBoss EAP 7.2 on RHEL 7 but have some questions about the installer we should use.

The scenario is that we are currently setting up the production environment to be used as the user test environment, which has passed successfully and is being advertised as a production environment. The customer prefers to buy JBoss and therefore only activate the JBoss subscription license if the test is passed.

Therefore, we can only install with the Developer Edition. My question is, if we use this for installation on the server, do we need to reinstall the app server after receiving the subscription license?

What is the difference between the developer edition and the full subscription edition?

How do you derive encryption keys between NAS and supplicant for 802.1x when using EAP as the authentication method?

I wonder how key negotiation works for WPA2 Enterprise, which uses a plain-text protocol such as EAP to authenticate the user. All the information I could find suggests that EAP is an inherently insecure authentication method for wireless communication because the credentials are sent wirelessly in plain text. On this basis, I also assumed that not only the credentials would be affected, but also the entire session! Of course, some questions appeared in my mind:

  1. How would NAS and Supplicant secretly agree on a common key if there is no secret secret?
  2. If there is a way to arrange a secret common key. Why does not the NAS and the supplicant use the traffic before the authentication step? So that the credentials are not forwarded in plain text to the open.
  3. In what ways is the NAS and supplicant supported by the RADIUS server to negotiate the shared secret when using a secure protocol such as PEAP?
  4. For example, suppose EAP uses a shared secret to authenticate the supplicant. Why is not this shared secret being used by the NAS and the supplicant to derive a shared key? (I think WPA2-PSK uses a shared secret to negotiate keys.)

Any VPN server software that limits the number of concurrent logins / connections from EAP to a custom constraint like 5 over the IKEV2 protocol?

Is there a VPN server software that limits the number of concurrent logins / connections from EAP (user and password based authentication) to a custom constraint like "5" over the IKEV2 protocol? I thought StrongSwan could provide this feature, but I did not find any information about it. Is it possible that Windows is installed with the DHCP server feature?