Protocol recommendation

Alan DeKok aland at
Tue Apr 5 22:42:38 UTC 2022

On Apr 5, 2022, at 1:22 PM, Olivier <oza.4h07 at> wrote:
> I've read this [1] article. It is very interesting but I would
> appreciate some explaination about the final recommendations
> paragraph.
> Specifically, this paragraph contains:
> "If MS-CHAPv2 is required for operational or inter-operability
> reasons, we recommend running it over a secure management network. The
> Microsoft MFA server does not support MFA with MS-CHAPv2. Or, running
> TTLS + MS-CHAPv2. Though it has no benefits (and many drawbacks!) over
> TTLS + PAP."
> 1. What does "we recommend running [MS-CHAPv2] over a secure
> management network"  implies, here ?

  Don't put RADIUS packets over the Internet.  If the RADIUS packets are internal to your network, that's fine.

  If you have to send RADIUS packets over the Internet, then use IPSec or TLS in order to protect / hide their contents.

> 2. What does "Or, running TTLS + MS-CHAPv2" excatly means, here ?

  Use TTLS, with MS-CHAPv2 inside of the TLS tunnel.  See mods-available/eap for EAP / TTLS configuration.

  Alan DeKok.

More information about the Freeradius-Users mailing list