I have configured a working EAP-TLS system and am now migrating to
use EAP-TTLS (with both client side certificates and a password
authentication mechanism).
I'm stuck trying to work out how to avoid sending the password
unhashed to the server and think that some form of CHAP/MSCHAPv2
might be the right way to go. My current thoughts are that I should
use PAP with SHA1 or SSHA1 but I seem to get the right config (if it
is even possible).
So, with this problem, can anybody suggest a way to use SHA1/SSHA1 or
some other form of cryptographically secure, non-cleartext password
within the inner authentication mechanism of EAP-TTLS for use in WPA2
Enterprise/802.1x.
If this is feasible/possible, are there any gotcha's with the various
supplicants to getting this to work from the client side and avoiding
sending the passwords in cleartext (inside the EAP-TLS tunnel).
Also, while I'm here, any suggestions for an appropriate backend
password store so that there is never a cleartext password except for
the initial entry (password change) on the server side would be
appreciated.
cheers,
James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- EAP-TTLS inner auth methods for 802.1x James Lever
-
