EAP-TLS The most secure option?

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.nccgroup.com/research-blog/eap-tls-the-most-secure-option/
• Blog Title: EAP-TLS: The most secure option?
• Suggested Section: Pentesting Wifi -> Evil Twin EAP-TLS (add: EAP Identity leakage/username enumeration + Windows EAP-TLS server-validation misconfig pitfalls and hardening checklist)

🎯 Content Summary

NCC Group explains why EAP-TLS (WPA2-Enterprise) is often the “gold standard” (certificate-based authentication; no reusable user password to phish/bruteforce like PEAP/MS-CHAP), but also shows two practical security failures that still occur in real deployments: (1) unauthenticated username enumeration via EAP Identity, and (2) “m(?)TLS” server-validation misconfigurations that enable Evil Twin attacks.

Core roles / terminology (802.1X)
- Supplicant: t...

🔧 Technical Details

EAP Identity username harvesting: Because the EAP Identity exchange happens before any TLS confidentiality exists, a network can leak real domain usernames in EAP-Response/Identity. An attacker in RF range can passively capture EAP traffic and extract identities with standard tooling (e.g., tune to the AP using airodump-ng -i $IFACE -c $CHAN --bssid $BSSID, then decode/filter EAP frames with tshark -i "$IFACE" -Y eap -V and grep for Identity:). Mitigate by using privacy NAI (RFC4282) where supported, or switching to computer authentication so the leaked identity is a machine name rather than a user.

EAP-TLS Evil Twin via broken client server-validation (“m(?)TLS”): EAP‑TLS only provides mutual authentication if the supplicant strictly validates the server certificate and expected server identity. If validation is disabled, server names aren’t constrained, or users can override certificate errors (Windows prompt to trust new/u...

🤖 Agent Actions

Summary:

• Expanded the Evil Twin EAP-TLS page with practical EAP identity leakage enumeration workflow, impact, and mitigations (privacy NAI, computer auth).
• Added detailed guidance on exploiting and preventing Evil Twin attacks via broken client server validation, including Windows supplicant pitfalls and hostapd-wpe rogue infra notes.
• Included a hardening checklist with example ServerValidationParameters and updated references (NCC blog, RFC 4282, Microsoft docs, Versprite).

Tests:

• Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.nccgroup.com/research-blog/eap-tls-the-most-secure-option/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Wifi -> Evil Twin EAP-TLS (add: EAP Identity leakage/username enumeration + Windows EAP-TLS server-validation misconfig pitfalls and hardening checklist)".

Repository Maintenance:

• MD Files Formatting: 936 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0