View Only
last person joined: 11 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Outer and Inner Authentication logic

This thread has been viewed 27 times
  • 1.  Outer and Inner Authentication logic

    Posted May 09, 2023 11:14 PM

    Hi folks,

    Can anyone please breakdown the logic in using the outer and inner authentication, as shown below?
    And why cant we just use one auth method only?

    Clearpass- Wired 

    Windows Machine - Wired

    Clearpass - Wired -selfreg Auth

  • 2.  RE: Outer and Inner Authentication logic

    Posted May 10, 2023 10:23 AM

    What exactly are you trying to accomplish.  Some EAP types like EAP-TLS are outer authentication only with no inner method.  For other EAP types like PEAP/MS-CHAPv2 use an outer method of PEAP and inner method of MS-CHAPv2.  It depends on the EAP type and use-case.

  • 3.  RE: Outer and Inner Authentication logic

    Posted May 11, 2023 12:12 AM

    I am not looking to configure anything. 
    Just wanted to understand the logic behind the inner and outer authentications. 


  • 4.  RE: Outer and Inner Authentication logic

    Posted May 11, 2023 03:35 AM

    EAP protocol support different types of authentication methods. Some methods like EAP-MSCHAPv2 is very basic with MSCHAPv2 as the authentication method. This however is not very secure since the NTLM hashed password can be decrypted using brute force attacks. EAP also supports tunneled authentication methods where the credentials are exchanged inside a TLS tunnel.

    First a TLS tunnel is setup between client and AAA server. Then credentials are exchanged inside the secure tunnel where its is safe from eavesdroppers. Different tunneled EAP methods are EAP-TTLS, EAP-PEAP, EAP-TLS, TEAP. In your example you have MSCHAPv2 as inner authentication method with EAP-TTLS. Here, first a TLS tunnel is formed and MSCHAPv2 authentication happens inside the tunnel. EAP lets you choose different combinations of outer and inner methods. Other examples are EAP-TTLS with PAP as inner method or EAP-PEAP with MSCHAPv2 as inner method.