Am 07.03.25 um 14:44 schrieb Alan DeKok:
PAP is the best choice. You have to update the supplicant to allow EAP-TTLS-PAP.
citing myself 1 hour ago:
Agreed. In real life,it turns out that, as a remainder of the MS monopoly, _all_ vendors of WiFi clients MUST support and test MS-CHAPv2 properly to survive commercially -- counterexamples welcome 🙂 They MAY support PAP in addition. With a server side not speaking MS-CHAPv2, odds are your life gets harder, especially if you're running a BYOD service.
Depending on the mixture (and number!) of clients, the support effort caused by not supporting the seemingly ubiquitous MS-CHAPv2 may warrant some effort on the server side :-( We enhanced our password update procedure by calculating the NT-Hash ourselves whenever a user changes their password. We store it in LDAP, FR pulls it to do MS-CHAPv2 without any Microsoft thing involved. This is 100% reliable, but 10% of the security you really want as NT-Hash is so easily cracked. If you stick with PAP, you might want to take a look at https://codeberg.org/Amebis/GEANTLink for balky Windows clients. We used this tool around 2017 for a while before we figured out above solution. The developer is still around, and there seems to be some maintenance activity on the code. Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg