Which EAP (Extensible Authentication Protocol) type uses a server-side certificate to establish a protected tunnel, similar to PEAP (Protected Extensible Authentication Protocol)?

The correct answer is EAP-TTLS (EAP Tunneled TLS) because it uses a server-side certificate to create a secure tunnel for client authentication, similar to the way PEAP operates. EAP-TTLS establishes a TLS (Transport Layer Security) tunnel after the server presents its certificate and is authenticated, which allows for the secure exchange of authentication credentials between the client and the server.

This security mechanism ensures that the initial connection is secured before user credentials are transmitted, thereby preventing unauthorized access and eavesdropping.

In contrast, while PEAP also uses a server-side certificate to initiate a secure tunnel, EAP-TTLS differs in its ability to support various legacy authentication methods (such as PAP or CHAP) for clients, once the tunnel is established. This flexibility allows organizations to utilize existing credentials without requiring every client to support the same authentication protocol.

Understanding EAP-TTLS in this context highlights its practical applications in environments where backward compatibility with other authentication methods is necessary while still maintaining a high level of security through tunneling.