We're using currently using freeradius 2.x and migrating to a new server where we will be using 3.0.4. Our OpenLDAP server has plaintext passwords currently, but as I migrate the server over, I would like to encrypt and salt them (something like SSHA). Both the LDAP and Radius servers will be on the same box. The problem devices is our wireless clients made up of Macs and phones (Android and iPhone) and the traffic passes through a Cisco WLC. If I want to encrypt, then it seems I would have to use EAP-GTC along with PAP. The Macs seem to only want to authenticate with MSCHAPv2. I found on Android phones if I don't set the Phase 2 authentication, it only checks MSCHAPv2, however if I force it to use GTC, then it authenticates correctly. I did notice in the logs using GTC, it has the ability to display the encrypted password in the clear. Didn't do this with MSCHAPv2. So here are my questions: 1. Is there something I'm missing from what I've trying and seeing above? 2. Is GTC and PAP with encrypted passwords less secure than using MSCHAPv2 with Plain text passwords in LDAP (even though they are on the same box)? 3. Should Mac's be able to use GTC? I've read that with Cisco ISE, this can be force, but beyond that I couldn't come across any article discussing it. I'm having trouble finding the article or thread, but I had read before the best solution with OpenLDAP and FreeRadius is plain-text passwords in LDAP, MSCHAPv2 for authentication and ACL's on the ldap OU's. Is this the recommendation? I would also like to prevent the ability to sniff the passwords in whichever scenario is used.