Authenticate to AD but only allow certain group
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Fri Feb 7 22:42:28 CET 2014
Hi,
> I'm not sure I follow. I tried to find a good explanation of the
> inner tunnel. I read the section on virtual servers, but wasn't
> quite sure how that applied.
<snip>
> Can you explain why you suggested to use the inner tunnel? I'd just
> removed that from my sites-enabled and everything seemed to be
> working.
the outer ID is pretty much like the outside of an envelope for mail -
you get an identity..and a realm (if proxying) - but its really just
to get the message to the right server..
the inner-tunnel is where the InnerID is dealt with - this is the REAL
ID of the user/client which is revealed during the EAP protected phase..
and thus it cannot be spoofed as it has to be right (user/pass) to actually
pass the authentication that occurs in EAP.
as an example..I can have
outerID - important_person at siteA.org
innerID - student1 at siteA.org
I get authenticated as student1 ...if you base decisions in post-auth
of the outer wrapper (default by default) then you're believing that I
am important_person and will give me the wrong rights.
alan
More information about the Freeradius-Users
mailing list