"Outer and inner identities are the same"

Gregory Sloop gregs at sloop.net
Tue Oct 22 00:23:17 CEST 2019

I have a EAP-MSCAPv2 WPA-Enterprise setup working so that's good.

I get warnings about "Outer and inner identities are the same," however.
Searching the list doesn't do a lot to illuminate me as to exactly what the inner and outer tunnels are.

I think I understand this warning - though some explanation would be handy.

I assume, given the message, that the User identity is available outside the MS-CHAP/MPPE "envelope" - in the "outer" tunnel. But, if we're using a CA/server-cert+key, the user identity should be encrypted inside the "outer" tunnel too, right? To say that another way - the outer tunnel is protected via the server-cert+key, and the inner tunnel is protected by the chapv2/mppe protocol. Do I have that right?

In this case, the MPPE tunnel is far less secure [provided modern encryption standards] than say a AES-256/SHA-256 RSA outer tunnel, and I shouldn't need to worry about the warning.

If there's a doc somewhere that covers this, I'd be happy to read it, but I haven't seen one - or been able to find one by searching.

Lets deal with that first, and then once I understand it well enough, I may have follow-on questions.


More information about the Freeradius-Users mailing list