Hi colleagues,
which, from your experience, is the lowest common denominator for EAP
methods availability on various clients (hardware appliances [Cisco,
Juniper, Mikrotik, etc], software clients [Windows, MacOS, iOS]), if we
don't talk about EAP-MSCHAPv2 ?
Since mschap use NTLM hash which isn't secure enough, it's not bad to
store credentials in backend in a non-reversable format like SHA2.
Looking at the following table -
http://deployingradius.com/documents/protocols/compatibility.html - I
see two possible ways to achieve this target: EAP-GTC or PAP, tunneled
inside other EAP method (TTLS, PEAP, other which require only server
certificate).
So the question is - which pair of inner/outer EAP methods you will
recommend to choose in order to get support for most client types and to
have ability to store credentials in backend in non-reversable hash form?
Thank you.
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
