On Jun 2, 2016, at 4:33 PM, Cornelius Kölbel <cornelius.koelbel@netknights.it> wrote:
Am Donnerstag, den 02.06.2016, 15:58 -0400 schrieb Arran Cudbard-Bell:
We actually have a commercial OTP solution via SafeNet, but it's a bit long in the tooth and also only supports PAP. However, I opened a ticket today and their newer versions actually support MSChapv2 so that might be the way to go if converting our token licenses isn't too ridiculous in cost.
Anything that'll give you the plaintext password from the OTP server back will work with MSCHAPv2.
The OTP server could return the plain text OTP password. But this is only the 2nd factor. It will not return the LDAP user password, which is the 1st factor.
Yeah, if you're using an LDAP server that doesn't give you access to the plaintext password, and if you're set on using passwords. Certificates do the job just as well. Especially if they're encrypted. -Arran