Hi folks,Can anyone please breakdown the logic in using the outer and inner authentication, as shown below?And why cant we just use one auth method only?Clearpass- Wired Windows Machine - WiredClearpass - Wired -selfreg Auth
What exactly are you trying to accomplish. Some EAP types like EAP-TLS are outer authentication only with no inner method. For other EAP types like PEAP/MS-CHAPv2 use an outer method of PEAP and inner method of MS-CHAPv2. It depends on the EAP type and use-case.
EAP protocol support different types of authentication methods. Some methods like EAP-MSCHAPv2 is very basic with MSCHAPv2 as the authentication method. This however is not very secure since the NTLM hashed password can be decrypted using brute force attacks. EAP also supports tunneled authentication methods where the credentials are exchanged inside a TLS tunnel.First a TLS tunnel is setup between client and AAA server. Then credentials are exchanged inside the secure tunnel where its is safe from eavesdroppers. Different tunneled EAP methods are EAP-TTLS, EAP-PEAP, EAP-TLS, TEAP. In your example you have MSCHAPv2 as inner authentication method with EAP-TTLS. Here, first a TLS tunnel is formed and MSCHAPv2 authentication happens inside the tunnel. EAP lets you choose different combinations of outer and inner methods. Other examples are EAP-TTLS with PAP as inner method or EAP-PEAP with MSCHAPv2 as inner method.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.