Hi,
I'm not sure I follow. I tried to find a good explanation of the inner tunnel. I read the section on virtual servers, but wasn't quite sure how that applied.
<snip>
Can you explain why you suggested to use the inner tunnel? I'd just removed that from my sites-enabled and everything seemed to be working.
the outer ID is pretty much like the outside of an envelope for mail - you get an identity..and a realm (if proxying) - but its really just to get the message to the right server.. the inner-tunnel is where the InnerID is dealt with - this is the REAL ID of the user/client which is revealed during the EAP protected phase.. and thus it cannot be spoofed as it has to be right (user/pass) to actually pass the authentication that occurs in EAP. as an example..I can have outerID - important_person@siteA.org innerID - student1@siteA.org I get authenticated as student1 ...if you base decisions in post-auth of the outer wrapper (default by default) then you're believing that I am important_person and will give me the wrong rights. alan