Hi,
yes I tried to use a TTLS-PAP profile and it worked without any reconfiguration.
I dont like the thought of having weak passwords in LDAP at all and on the other hand TLS on radius clients can also not be made 100% secure.
So I guess my next steps is to go for client certs for the people with a lot of permissions on systems.
When using passwords, there is no good solution. PAP exposes the password to an attacker as soon as the user is negligent and "clicks accept" to an unknown server warning. But in exchange, you can use more advanced hashing techniques on your database backend; e.g. salted SHA-512 would work for password backend storage. MSCHAPv2 transmits the password in not-quite-cleartext (but really do not have any illusions that this is proper security); but in exchange, you need to store the passwords in your DB in either cleartext or NT-Hash format. If you need more than that, a more recent choice with passwords (but without the opportunity to "click accept" at all) is EAP-pwd. Or if you do make the leap to client certs, EAP-TLS. That's about all the options you have. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66