On Dec 20, 2023, at 2:47 AM, Chevy Innis via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Configure the end user device to use TTLS+PAP. It's the most secure option
Is this the only option or just the most secure? I assume any auth type that is compatible with SSHA2-512 should be ok?
When you say "any auth type", that list is composed of one entry: PAP. TTLS+PAP is just a TLS wrapper around PAP. Think of it this way. MS-CHAP and CHAP are hashes of the password, with some crypto magic. SSHA2-512 is also a hash of the password with some crypto magic. But they're different hashes. So you can't compare the outputs. And you can't "invert" the hashes to get the password. So if HASH1(password) can't be compared with HASH2(password), what can you do? You have HASH1(password). What authentication methods are compatible with that? Answer: password. Because you can then run HASH1 yourself. And then compare HASH1(password) with HASH1(password), and see if they're identical. Alan DeKok.