OS / Protocol Compatibility

Matthew Newton mcn4 at leicester.ac.uk
Fri Apr 7 22:31:07 CEST 2017


On Fri, Apr 07, 2017 at 08:05:09PM +0000, Cappalli, Tim (Aruba Security) wrote:
> Not sure I’d agree that an NTLMv2 hash is easier to crack than PAP.

That wasn't what I said...

It is easily possible to crack MSCHAPv2. With TTLS, both are in
the same level of encrypted tunnel, so essentially equivalent.
When the client doesn't properly trust the RADIUS server, both are
broken.

But with PAP you can store the password on the server in the most
secure way possible with $today's technology. With MSCHAPv2 you
are limited to NTLM hashes, which are broken.

> I’d take PEAPv0/EAP-MSCHAPv2 over EAP-TTLS/PAP any day.

Of course, anyone can choose what they're going to use. A lot of
people just permit both, and TBH given that convenience for the
end client device generally takes precedence over security the
difference between them is probably not worth worrying about. :(

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list