[RADIATOR] Unicode in nthash passwords
Hosek, Ondrej
ondrej.hosek at tuwien.ac.at
Wed Apr 15 13:22:23 UTC 2026
Hi C.,
On Wed, 2026-04-15 at 15:02 +0200, C R wrote:
> so I guess one of the few options
> would be EAP-TTLS with an application password. This way the main
> password can be used for SSO with MFA support while the Network one
> can be used without it.
Yup, our network password is already independent of our SSO password.
However, both PEAP and EAP-TTLS seem to require the choice of an inner
authentication protocol, and I expect many of our clients will have
"allow MSCHAPv2 and nothing else" configured. Thus, until we decide to
take the plunge and tell everyone to switch to PAP (and assuage their
fears that although Windows' connection settings call it "unencrypted
password", it's always transmitted over an encrypted channel), we are
stuck with NT hashes in the database.
We follow eduroam recommendations and allow both PEAP and EAP-TTLS.
Cheers,
~~ Ondra
More information about the radiator
mailing list