On 09/04/14 13:38, Phil Mayers  wrote:
1. Use MSCHAP which needs NTLMv1

http://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO

in the picture here, is the NTLM traffic from the FreeRADIUS server to the Active Directory server encrypted? if not, can it be?

> 2. Use TTLS/PAP, and check passwords via Kerberos/LDAP bind. 

Is this way recommended? the part about using PAP scares me. (Clear-text password in local configuration file (PAP)) - http://wiki.freeradius.org/glossary/Authentication