[strongSwan] EAP lowest common denominator

Volodymyr Litovka doka.ua at gmx.com
Fri Mar 2 09:48:51 CET 2018

Hi colleagues,

which, from your experience, is the lowest common denominator for EAP 
methods availability on various clients (hardware appliances [Cisco, 
Juniper, Mikrotik, etc], software clients [Windows, MacOS, iOS]), if we 
don't talk about EAP-MSCHAPv2 ?

Since mschap use NTLM hash which isn't secure enough, it's not bad to 
store credentials in backend in a non-reversable format like SHA2. 
Looking at the following table - 
http://deployingradius.com/documents/protocols/compatibility.html - I 
see two possible ways to achieve this target: EAP-GTC or PAP, tunneled 
inside other EAP method (TTLS, PEAP, other which require only server 

So the question is - which pair of inner/outer EAP methods you will 
recommend to choose in order to get support for most client types and to 
have ability to store credentials in backend in non-reversable hash form?

Thank you.

Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

More information about the Users mailing list