On 02/07/2014 04:42 PM, A.L.M.Buxey@lboro.ac.uk wrote:
the outer ID is pretty much like the outside of an envelope for mail - you get an identity..and a realm (if proxying) - but its really just to get the message to the right server..
the inner-tunnel is where the InnerID is dealt with - this is the REAL ID of the user/client which is revealed during the EAP protected phase.. and thus it cannot be spoofed as it has to be right (user/pass) to actually pass the authentication that occurs in EAP.
as an example..I can have
outerID - important_person@siteA.org innerID - student1@siteA.org
I get authenticated as student1 ...if you base decisions in post-auth of the outer wrapper (default by default) then you're believing that I am important_person and will give me the wrong rights.
alan
Alan, Are there always two levels of EAP in WPA (or WPA2) Enterprise? Where do the "outerID" credentials come from? Is that the wireless station (laptop, phone, etc.) or the access point? Thanks, Brian