OS / Protocol Compatibility

[Cappalli, Tim (Aruba Security)]

Not sure I’d agree that an NTLMv2 hash is easier to crack than PAP.

I’d take PEAPv0/EAP-MSCHAPv2 over EAP-TTLS/PAP any day.


On 4/7/17, 4:00 PM, "Freeradius-Users on behalf of Matthew Newton" <freeradius-users-bounces+timc=hpe.com at lists.freeradius.org on behalf of mcn4 at leicester.ac.uk> wrote:

    On Fri, Apr 07, 2017 at 07:39:48PM +0000, Brian Julin wrote:
    > Haven't seen one.  Really we need some bored retiree to start a beer money
    > kickstarter to test and maintain giant compatibility tables, not just for this, but
    > for all the nuances of wifi chipsets.
    
    If they started at retiring age they'd be dead before it was even
    half finished if chipsets are included.
    
    > PAP should only be used when confined to unsniffable internal administrative
    > networks... there's no good reason to use it elsewhere as all it will do
    > is expose your user's passwords, which is worse than having no password
    > security at all.
    
    Nowt really wrong with PAP inside EAP/TTLS. At least, no worse
    than MSCHAPv2. With PAP the password is encrypted inside TTLS, and
    you can store it securely on the server. With MSCHAPv2 it's the
    same level of encryption over the wire (as the MSCHAPv2 is easy to
    break), *and* you have to store easy to break NTLM hashes on the
    server.
    
    i.e. EAP-TTLS/PAP is arguably more secure.
    
    Matthew
    
    
    -- 
    Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
    
    Systems Specialist, Infrastructure Services,
    I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
    
    For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
    -
    List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html