Purpose of the inner-eap module
Matthew Newton
mcn4 at leicester.ac.uk
Fri Sep 30 01:02:59 CEST 2016
On Thu, Sep 29, 2016 at 06:34:10PM +0100, Graham Clinch wrote:
> I've swapped all occurances of 'eap' in the inner-tunnel site to 'inner-eap'
> and now see PEAP/EAP-MSCHAPv2 authentications complete with one fewer
> roundtrip, which feels like an improvement. Is there a reason inner-eap is
> not used in the default inner-tunnel site?
The default "eap" config has
default_eap_type = md5
which will be NAK'd on the first round trip. You should set it to
the EAP method you're most commonly going to use.
The "inner-eap" config has
default_eap_type = mschapv2
which you're using, so saves one RT because the server and client
agree the first time around.
You'd use the inner-eap config when you're doing e.g.
PEAP/EAP-TLS, i.e. EAP (EAP-TLS) inside of EAP (PEAP). In which
case your inner-tunnel config would call inner-eap instead of eap
(which would be the same module twice, which wouldn't end nicely).
Matthew
--
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list