"Best" authentication mechanisms for Wi-Fi

Michael Ströder michael at stroeder.com
Tue May 5 11:33:57 CEST 2015

Hoggins! wrote:
> We're using FreeRADIUS to authenticate users to access our Wi-Fi. It
> works very well.
> The thing is : we use a mechanism that works perfectly for Android and
> Linux (NetworkManager) clients, but some can't access it, due to
> limitations. I'm thinking of some Windows flavors here.
> We store our passwords hashed in a MySQL database, and recommend the
> users to connect using "WPA2 Enterprise (802.11x) using TTLS method and
> PAP for phase2.
> Do you think that we could find a more "universal" combination that even
> "old" Windows clients would be compatible with ?

I've also been through EAP-TTLS/PAP setup with Windows client the last days 
using OpenLDAP server as backend also with strong-hashed passwords. I do 
understand now why hotspot systems work with MAC addresses and authc via 
obscure web interfaces to make things look convenient for the average user. ;-)

My tests with Windows 8 showed that it tries to use NTLM passwords in EAP-TTLS 
by default.

But which route to take very much depends on your security requirements and 
operational preferences. Could you elaborate on that?

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150505/59fdb135/attachment.bin>

More information about the Freeradius-Users mailing list