OS / Protocol Compatibility

Matthew Newton mcn4 at leicester.ac.uk
Fri Apr 7 22:00:30 CEST 2017


On Fri, Apr 07, 2017 at 07:39:48PM +0000, Brian Julin wrote:
> Haven't seen one.  Really we need some bored retiree to start a beer money
> kickstarter to test and maintain giant compatibility tables, not just for this, but
> for all the nuances of wifi chipsets.

If they started at retiring age they'd be dead before it was even
half finished if chipsets are included.

> PAP should only be used when confined to unsniffable internal administrative
> networks... there's no good reason to use it elsewhere as all it will do
> is expose your user's passwords, which is worse than having no password
> security at all.

Nowt really wrong with PAP inside EAP/TTLS. At least, no worse
than MSCHAPv2. With PAP the password is encrypted inside TTLS, and
you can store it securely on the server. With MSCHAPv2 it's the
same level of encryption over the wire (as the MSCHAPv2 is easy to
break), *and* you have to store easy to break NTLM hashes on the
server.

i.e. EAP-TTLS/PAP is arguably more secure.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list