"Best" authentication mechanisms for Wi-Fi

Ben Humpert ben at an3k.de
Wed May 6 09:47:44 CEST 2015


2015-05-05 11:12 GMT+02:00 Hoggins! <hoggins at wheres5.com>:
> Hello list,
>
> We're using FreeRADIUS to authenticate users to access our Wi-Fi. It
> works very well.
> The thing is : we use a mechanism that works perfectly for Android and
> Linux (NetworkManager) clients, but some can't access it, due to
> limitations. I'm thinking of some Windows flavors here.
>
> We store our passwords hashed in a MySQL database, and recommend the
> users to connect using "WPA2 Enterprise (802.11x) using TTLS method and
> PAP for phase2.

EAP-TTLS is not supported by Windows 7 or older. However, there is a
"driver" for it from SecureW2 which was licensed under GPLv2 until
version 4.1.0 (still available on the net) but I don't know if older
systems than Windows 7 are supported.

> Do you think that we could find a more "universal" combination that even
> "old" Windows clients would be compatible with ?

What clients do you mean by "old"? If your oldest client is Windows XP
you can use PEAPv0/EAP-MSCHAPv2. I don't know if MAC OS supports
EAP-MSCHAPv2 (it does support PEAP however) and based on the search
results one has to use TTLS-PAP instead. At least Wikipedia states
that PEAPv0/EAP-MSCHAPv2 is supported by MAC OS.


More information about the Freeradius-Users mailing list