29 Jan
2007
29 Jan
'07
4:27 p.m.
On 29/01/2007, at 11:03 PM, A.L.M.Buxey@lboro.ac.uk wrote:
MSCHAPv2 is the main way to go. offering challenge/response means the password is never sent clear. alternatively you could use MD5 instead of plain. but client support is an issue...
After reading through Alan DeKok's compatibility page and a bit further research from that, it would appear that the risk of compromise is greater from poor storage on the server than the transient cleartext credentials inside the EAP-TLS session. cheers, James