On 29/01/2007, at 11:03 PM, [EMAIL PROTECTED] wrote:
MSCHAPv2 is the main way to go. offering challenge/response means
the password is never sent clear. alternatively you could use
MD5 instead of plain. but client support is an issue...
After reading through Alan DeKok's compatibility page and a bit
further research from that, it would appear that the risk of
compromise is greater from poor storage on the server than the
transient cleartext credentials inside the EAP-TLS session.
cheers,
James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
