On 16/05/13 14:27, Sergii Bieliaievskyi wrote:
2013/5/16 Alan DeKok <aland@deployingradius.com <mailto:aland@deployingradius.com>>
Sergii Bieliaievskyi wrote: > This is so frustrating :( > How it can be possible to do strong security using reliable passwords > and to have no encryption in the same time.
I think you misunderstand the issues.
OTP passwords were created so that it doesn't *require* that the password be hidden.
Systems like MSCHAP were created so that the passwords could be used many times, because they're hashed.
The two systems are *designed* to be incompatible.
But only ms-chap supports data encryption. I want to use OTP and MPPE simulteniosly. But MPPE without ms-chap cann`t exist. Am I right?
No. MPPE requires encryption keys. These can be generated by whatever auth method. If you use plain MSCHAP, MSCHAP generates them. If you use PEAP/MSCHAP, PEAP generates them - the MSCHAP MPPE keys are thrown away, and not used. If you use PEAP/GTC, again PEAP generates the MPPE keys. If you use TTLS/PAP, TTLS generates the MPPE keys.