Authenticate to AD but only allow certain group
Brian C. Huffman
bhuffman at etinternational.com
Wed May 14 20:20:22 CEST 2014
On 02/07/2014 04:42 PM, A.L.M.Buxey at lboro.ac.uk wrote:
> the outer ID is pretty much like the outside of an envelope for mail -
> you get an identity..and a realm (if proxying) - but its really just
> to get the message to the right server..
>
> the inner-tunnel is where the InnerID is dealt with - this is the REAL
> ID of the user/client which is revealed during the EAP protected phase..
> and thus it cannot be spoofed as it has to be right (user/pass) to actually
> pass the authentication that occurs in EAP.
>
> as an example..I can have
>
> outerID - important_person at siteA.org
> innerID - student1 at siteA.org
>
> I get authenticated as student1 ...if you base decisions in post-auth
> of the outer wrapper (default by default) then you're believing that I
> am important_person and will give me the wrong rights.
>
> alan
Alan,
Are there always two levels of EAP in WPA (or WPA2) Enterprise?
Where do the "outerID" credentials come from? Is that the wireless
station (laptop, phone, etc.) or the access point?
Thanks,
Brian
More information about the Freeradius-Users
mailing list