EAP-TLS (EAP-Transport Layer Security) is defined in RFC 5216 & considered as most secure EAP methods used in WLAN. EAP-TLS is required to use client-side certificates in addition to server-side certificate. However maintain a client-side certificates is challenging (maintain PKI infrastructue & manage client certs).
Here is the EAP-TLS process. (page 152 of CWSP Study Guide)As you can see above, there is no tunnel establishes for inner authentication to take place like any other EAP methods (PEAP, FAST,TTLS). There is an optional privacy mode available where TLS handshake established prior to client identity is passed (not implemented by vendors).
Here is a packet capture of a supplicant using EAP-TLS for authentication. Supplicant is having MAC 00:20:a6:ca:6b:b4
Here is the details of the EAP-TLS frame exchange. Like any other EAP methods first two frames are “Identity Request (step 4a)” & “Identity Response (step 4b)” excluding optional EAPOL start frame.Here is the EAP-Identity Response frame (4b) send by Supplicant. Note that outer identity is go as cleartext.
Then AS will send “EAP-TLS start” frame to supplicant as shown below. Note that type 13 identify “TLS” & code 1 identify as “Request” frame.Then Supplicant start validating the server certificate process (step 5a) with a “Client Hello” frame. Below shows the detail steps involved in Server & Client Certificate validation.(image source)
Here is the Client Hello frame.Then AS sending certificate with Server-Hello, Certificate, Certificate Request, Server-Hello-Complete. As you can see server certs will use fragmented frames as of the size of cert.(in my example 3 fragmented frames 51,55 & 59).Once Server Hello Done, AS start the client certificate verification (step 5b). Supplicant sent client certificate,client key exchange, Cert Verification, Change Cipher spec (again there are more than fragments in my capture-62,66).Here is the change cipher spec (frame 68) send by Authenticating Server.Here is the EAP-Response frame send by Supplicant to complete the Client Certificate (step 5b) process.Finally AS will send RADIUS Accept (or Reject) where inturn Authenticator convert it to EAP-Success(or Failure) frame (step 7). Here is my EAP Success frame (Code 3).This point, 4-Way Handshake starts (step 8-11 & frames 74,76,78,80).