Authenticate to AD but only allow certain group

A.L.M.Buxey at A.L.M.Buxey at
Fri Feb 7 22:42:28 CET 2014


> I'm not sure I follow.  I tried to find a good explanation of the
> inner tunnel.  I read the section on virtual servers, but wasn't
> quite sure how that applied.


> Can you explain why you suggested to use the inner tunnel?  I'd just
> removed that from my sites-enabled and everything seemed to be
> working.

the outer ID is pretty much like the outside of an envelope for mail -
you get an identity..and a realm (if proxying) - but its really just
to get the message to the right server..

the inner-tunnel is where the InnerID is dealt with - this is the REAL
ID of the user/client which is revealed during the EAP protected phase..
and thus it cannot be spoofed as it has to be right (user/pass) to actually 
pass the authentication that occurs in EAP.

as an example..I can have

outerID - important_person at
innerID - student1 at

I get authenticated as student1 ...if you base decisions in post-auth
of the outer wrapper (default by default) then you're believing that I
am important_person and will give me the wrong rights.


More information about the Freeradius-Users mailing list