Purpose of the inner-eap module

Matthew Newton mcn4 at leicester.ac.uk
Fri Sep 30 01:02:59 CEST 2016

On Thu, Sep 29, 2016 at 06:34:10PM +0100, Graham Clinch wrote:
> I've swapped all occurances of 'eap' in the inner-tunnel site to 'inner-eap'
> and now see PEAP/EAP-MSCHAPv2 authentications complete with one fewer
> roundtrip, which feels like an improvement.  Is there a reason inner-eap is
> not used in the default inner-tunnel site?

The default "eap" config has

 default_eap_type = md5

which will be NAK'd on the first round trip. You should set it to
the EAP method you're most commonly going to use.

The "inner-eap" config has

 default_eap_type = mschapv2

which you're using, so saves one RT because the server and client
agree the first time around.

You'd use the inner-eap config when you're doing e.g.
PEAP/EAP-TLS, i.e. EAP (EAP-TLS) inside of EAP (PEAP). In which
case your inner-tunnel config would call inner-eap instead of eap
(which would be the same module twice, which wouldn't end nicely).


Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list