I have configured a working EAP-TLS system and am now migrating to use EAP-TTLS (with both client side certificates and a password authentication mechanism). I'm stuck trying to work out how to avoid sending the password unhashed to the server and think that some form of CHAP/MSCHAPv2 might be the right way to go. My current thoughts are that I should use PAP with SHA1 or SSHA1 but I seem to get the right config (if it is even possible). So, with this problem, can anybody suggest a way to use SHA1/SSHA1 or some other form of cryptographically secure, non-cleartext password within the inner authentication mechanism of EAP-TTLS for use in WPA2 Enterprise/802.1x. If this is feasible/possible, are there any gotcha's with the various supplicants to getting this to work from the client side and avoiding sending the passwords in cleartext (inside the EAP-TLS tunnel). Also, while I'm here, any suggestions for an appropriate backend password store so that there is never a cleartext password except for the initial entry (password change) on the server side would be appreciated. cheers, James