Not sure I’d agree that an NTLMv2 hash is easier to crack than PAP. I’d take PEAPv0/EAP-MSCHAPv2 over EAP-TTLS/PAP any day. On 4/7/17, 4:00 PM, "Freeradius-Users on behalf of Matthew Newton" <freeradius-users-bounces+timc=hpe.com@lists.freeradius.org on behalf of mcn4@leicester.ac.uk> wrote: On Fri, Apr 07, 2017 at 07:39:48PM +0000, Brian Julin wrote: > Haven't seen one. Really we need some bored retiree to start a beer money > kickstarter to test and maintain giant compatibility tables, not just for this, but > for all the nuances of wifi chipsets. If they started at retiring age they'd be dead before it was even half finished if chipsets are included. > PAP should only be used when confined to unsniffable internal administrative > networks... there's no good reason to use it elsewhere as all it will do > is expose your user's passwords, which is worse than having no password > security at all. Nowt really wrong with PAP inside EAP/TTLS. At least, no worse than MSCHAPv2. With PAP the password is encrypted inside TTLS, and you can store it securely on the server. With MSCHAPv2 it's the same level of encryption over the wire (as the MSCHAPv2 is easy to break), *and* you have to store easy to break NTLM hashes on the server. i.e. EAP-TTLS/PAP is arguably more secure. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html