Which EAP (Extensible Authentication Protocol) type requires only a server-side public key certificate to establish an encrypted tunnel?

The correct choice is PEAP (Protected Extensible Authentication Protocol). PEAP is designed to provide an additional layer of security by encapsulating a second authentication protocol within a secure Transport Layer Security (TLS) tunnel. This structure requires only a public key certificate on the server side to establish the tunnel, allowing clients to authenticate without needing their own certificates.

In a PEAP implementation, the server presents its certificate to the client, enabling the client to verify the server's identity and establish an encrypted tunnel. Once this secure tunnel is established, the client can then authenticate itself using methods like MSCHAPv2 or others that do not require additional certificates.

Other authentication methods, such as EAP-TLS, necessitate both client-side and server-side certificates, making it less flexible compared to PEAP. EAP-FAST focuses on using Protected Access Credentials (PACs), and EAP-TTLS also requires the server-side certificate but permits the client to use additional types of authentication without the need for its own certificate. These differences highlight why PEAP's requirement for only a server-side public key certificate uniquely positions it within the context of EAP types.