A Technical Comparison of TTLS and PEAP
Subject:   it's been a while
Date:   2005-08-05 12:10:49
From:   KrisB
It's been a while since the last update on client support in this article's comments.

Interestingly, TTLS still seems to be the most widely supported on the client end... at least when you consider non-MS OS's.

Additionally, PEAP suffers some security issues if you want to use u:p authentication -- you have to store the passwords in plaintext or at least reversible encryption. This is inherently insecure and a big "no-no". Yes, you can hack the PEAP-GTC EAP method to do it, but it is just that -- a hack. TTLS, on the other hand will let you use PAP within the tunnel to authenticate, meaning you can store passwords that have been crypt()'d or otherwise secured... PEAP uses CHAP, which uses a challenge-handshake, and can only prove that it knows the right password -- but the server has to have the plaintext password available, too.

All in all, TTLS appears to be the most robust, cheapest and all round best way of doing things, especially if you have to support non-MS OS's.

Oh, and someone had commented about using LEAP -- This is a Bad Idea. Major security flaws have been discovered in LEAP, and you had might as well stick with WEP, too, while you're at it!

Kris Benson, CCP, I.S.P.