EAP protocol support different types of authentication methods. Some methods like EAP-MSCHAPv2 is very basic with MSCHAPv2 as the authentication method. This however is not very secure since the NTLM hashed password can be decrypted using brute force attacks. EAP also supports tunneled authentication methods where the credentials are exchanged inside a TLS tunnel.
First a TLS tunnel is setup between client and AAA server. Then credentials are exchanged inside the secure tunnel where its is safe from eavesdroppers. Different tunneled EAP methods are EAP-TTLS, EAP-PEAP, EAP-TLS, TEAP. In your example you have MSCHAPv2 as inner authentication method with EAP-TTLS. Here, first a TLS tunnel is formed and MSCHAPv2 authentication happens inside the tunnel. EAP lets you choose different combinations of outer and inner methods. Other examples are EAP-TTLS with PAP as inner method or EAP-PEAP with MSCHAPv2 as inner method.
Original Message:
Sent: May 11, 2023 12:12 AM
From: champ85
Subject: Outer and Inner Authentication logic
Hi,
I am not looking to configure anything.
Just wanted to understand the logic behind the inner and outer authentications.
Thanks
Champ
Original Message:
Sent: 5/10/2023 10:23:00 AM
From: ahollifield
Subject: RE: Outer and Inner Authentication logic
What exactly are you trying to accomplish. Some EAP types like EAP-TLS are outer authentication only with no inner method. For other EAP types like PEAP/MS-CHAPv2 use an outer method of PEAP and inner method of MS-CHAPv2. It depends on the EAP type and use-case.
Original Message:
Sent: May 09, 2023 11:13 PM
From: champ85
Subject: Outer and Inner Authentication logic
Hi folks,
Can anyone please breakdown the logic in using the outer and inner authentication, as shown below?
And why cant we just use one auth method only?
Clearpass- Wired
Windows Machine - Wired
Clearpass - Wired -selfreg Auth
