Authenticate to AD but only allow certain group

Brian C. Huffman bhuffman at
Wed May 14 20:20:22 CEST 2014

On 02/07/2014 04:42 PM, A.L.M.Buxey at wrote:
> the outer ID is pretty much like the outside of an envelope for mail -
> you get an identity..and a realm (if proxying) - but its really just
> to get the message to the right server..
> the inner-tunnel is where the InnerID is dealt with - this is the REAL
> ID of the user/client which is revealed during the EAP protected phase..
> and thus it cannot be spoofed as it has to be right (user/pass) to actually
> pass the authentication that occurs in EAP.
> as an example..I can have
> outerID - important_person at
> innerID - student1 at
> I get authenticated as student1 ...if you base decisions in post-auth
> of the outer wrapper (default by default) then you're believing that I
> am important_person and will give me the wrong rights.
> alan


Are there always two levels of EAP in WPA (or WPA2) Enterprise?

Where do the "outerID" credentials come from?  Is that the wireless 
station (laptop, phone, etc.) or the access point?


More information about the Freeradius-Users mailing list