An advantage of TTLS I forgot to mention is that when PAP or CHAP is not the best authentication method, one can always use EAP /over/ TTLS as well, so in fact there are many authentication protocols supported within TTLS :-) This is nice when it turns out TTLS is not the way to go, but the complete infrastructure uses it already: it's always good (and of course open standard).
i thought that was what also peap was all about. the name "protected eap" refers to arbitrary eap method data transported in a TLS secured channel (with server-only authentication). so different eap methods should be supported in peap either. am i wrong?
As far as I've seen MS supplicant implementation of PEAP it only supports MS-CHAPv2 over PEAP. That makes it hard (when even not possible) to authenticate against e.g. an unix passwd-file (or existing ldap directory) as a backend.
You might be right on that EAP /can/ be transported over PEAP as well, but I'm not sure. (I've not looked that much at PEAP since I saw some of its main disadvantages. ;-))
Paul
P.S. (I think there are also problems here since PEAP is terminated at the first RADIUS server (the one where the authenticator checks credentials): using "weak" authentication like PAP when proxy-ing between radius servers opens more possibilities for man-in-the-middle attacks and/or sniffing. I'm not sure again, haven't tested this yet. Maybe I'll look at this later.)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
