HotSpot 2.0 and EAP-TTLS (MS-CHAPv2)
Last Post: March 24, 2017:
I'm working on a PoC for a small ISP which runs an open hotspot network around the city. I've been pouring over the updated (Dec 7th 2016) "WiFi CERTIFIED Passpoint (Release 2) Deployment Guidelines Rev 1.1" from the WiFi Alliance and have noticed in "Section 2.2 Hotspot 2.0 Network Deployment using Non-cellular Network Credentials for Authentication" that it mentions specifically using MS-CHAPv2 as the inner method for EAP-TTLS.
I wanted to ask if MS-CHAPv2 is a suggested method or if it is the standard for using EAP-TTLS in a HS2.0 deployment? I ask this because originally we were planning to go with PAP due to concerns from an internal developer when it comes to storing password hashes (not really something I'm an expert on). He was concerned that the method that MS-CHAPv2 stores passwords on a server is very easy to crack, where as I think with PAP he can store passwords via with his own custom method.
Thanks for your comments and guidance!
To be Passpoint certified, an AP/client must support EAP-TTLS(MS-CHAPv2). While support for other EAP types may be allowed, there is no guarantee the clients would support it even if they were Passpoint certified.
Thank you Tom! Your response makes it crystal clear for me.