EAP-TTLS inner auth methods for 802.1x

[James Lever]

On 29/01/2007, at 11:03 PM, A.L.M.Buxey at lboro.ac.uk wrote:

> MSCHAPv2 is the main way to go. offering challenge/response means
> the password is never sent clear.  alternatively you could use
> MD5 instead of plain. but client support is an issue...

After reading through Alan DeKok's compatibility page and a bit  
further research from that, it would appear that the risk of  
compromise is greater from poor storage on the server than the  
transient cleartext credentials inside the EAP-TLS session.

cheers,
James