How does the supplicant connect to the auth server in EAP TTLS?

I understand that a tls has to be established between the supplicant (end user device) and the auth server but a few things are unclear :

  1. How does the supplicant know the ip adress of the auth server ?
  2. The supplicant is not granted access yet it has to communicate with tls, does that mean it is granted a temporary local ip address and only requests to the auth server are forwarded via usual NAT by the access point ?
  3. How does the supplicant authenticate the server ? If I were connecting to a website, I would chech the common name (and that the chain is correct up to a root CA certificate I have), but what would the supplicant check for in common name (subject) ?

SSL – 8021.x EAP-TLS Linux Supplicant NPS Windows Server

The environment of my POC:

  • 1 server MS2016 AD, 1 server MS2016 ADCS, 1 server MS2016 NPS (Radius Server

  • 1 switch Aruba 2930F (Authenticathor)

  • Workstation: Windows 10 and CentOs 7.6 (Supplicants)

Only wired trusted computers should be able to connect to the LAN.

I have deployed the NPS server ADCS (PKI Two Tier Authority).

It works for the Windows workstation. GPO edeploy CA and computer certificate.

What can I do to authenticate Linux computers with NPS by AD?

regards

Christophe

How do you derive encryption keys between NAS and supplicant for 802.1x when using EAP as the authentication method?

I wonder how key negotiation works for WPA2 Enterprise, which uses a plain-text protocol such as EAP to authenticate the user. All the information I could find suggests that EAP is an inherently insecure authentication method for wireless communication because the credentials are sent wirelessly in plain text. On this basis, I also assumed that not only the credentials would be affected, but also the entire session! Of course, some questions appeared in my mind:

  1. How would NAS and Supplicant secretly agree on a common key if there is no secret secret?
  2. If there is a way to arrange a secret common key. Why does not the NAS and the supplicant use the traffic before the authentication step? So that the credentials are not forwarded in plain text to the open.
  3. In what ways is the NAS and supplicant supported by the RADIUS server to negotiate the shared secret when using a secure protocol such as PEAP?
  4. For example, suppose EAP uses a shared secret to authenticate the supplicant. Why is not this shared secret being used by the NAS and the supplicant to derive a shared key? (I think WPA2-PSK uses a shared secret to negotiate keys.)