EAP TTLS Inner Tunnel
Alan DeKok
aland at deployingradius.com
Thu Sep 12 14:39:31 UTC 2024
On Sep 12, 2024, at 10:11 AM, Connor Herring <connorrjherring at gmail.com> wrote:
> I've got my setup working so that the outer auth is dealt with by EAPTTLS
> and then the inner is dealt with by either PAP/MD5 depending on what device
> the client is using (Windows doesn't seem to support MD5 and Apple doesn't
> seem to support PAP without extra config).
Apple systems should be able to do TTLS+PAP without issue.
> My question is regarding the /mods-available/inner-eap module. My setup
> seems to be working but finding out that this module exists has made me
> question that fact. Instead of configuring inner tunnel within the
> /mods-enabled/eap file (e.g. setting the virtual server to your inner
> tunnel server and then configuring the inner tunnel virtual server in
> /sites-enabled/inner-tunnel etc.) do you HAVE to use
> /mods-available/inner-eap for this kind of setup to work correctly?
No.
> When reading the documents I wasn't sure if the inner-eap module was going
> to be more heavily relied upon in v4.0.0 (I'm on v3.2.1) but wasn't
> necessary at the moment?
The intent of the inner vs outer EAP modules was to allow different EAP types.
i.e. you don't want to do EAP-TTLS, which then carries EAP-TTLS, which then carries EAP-TTLS...
Using one EAP module means that such nesting is allowed / easier. Using a separate "inner-eap" module means that you can more easily separate the two sets of EAP methods.
Alan DeKok.
More information about the Freeradius-Users
mailing list