Hi colleagues,

which, from your experience, is the lowest common denominator for EAP methods availability on various clients (hardware appliances [Cisco, Juniper, Mikrotik, etc], software clients [Windows, MacOS, iOS]), if we don't talk about EAP-MSCHAPv2 ?

Since mschap use NTLM hash which isn't secure enough, it's not bad to store credentials in backend in a non-reversable format like SHA2. Looking at the following table - http://deployingradius.com/documents/protocols/compatibility.html - I see two possible ways to achieve this target: EAP-GTC or PAP, tunneled inside other EAP method (TTLS, PEAP, other which require only server certificate).

So the question is - which pair of inner/outer EAP methods you will recommend to choose in order to get support for most client types and to have ability to store credentials in backend in non-reversable hash form?

Thank you.

Volodymyr Litovka
  "Vision without Execution is Hallucination." -- Thomas Edison

Reply via email to