EAP-TTLS inner auth methods for 802.1x

I have configured a working EAP-TLS system and am now migrating to
use EAP-TTLS (with both client side certificates and a password
authentication mechanism).

I'm stuck trying to work out how to avoid sending the password
unhashed to the server and think that some form of CHAP/MSCHAPv2
might be the right way to go. My current thoughts are that I should
use PAP with SHA1 or SSHA1 but I seem to get the right config (if it
is even possible).

So, with this problem, can anybody suggest a way to use SHA1/SSHA1 or
some other form of cryptographically secure, non-cleartext password
within the inner authentication mechanism of EAP-TTLS for use in WPA2
Enterprise/802.1x.

If this is feasible/possible, are there any gotcha's with the various
supplicants to getting this to work from the client side and avoiding
sending the passwords in cleartext (inside the EAP-TLS tunnel).

Also, while I'm here, any suggestions for an appropriate backend
password store so that there is never a cleartext password except for
the initial entry (password change) on the server side would be
appreciated.

cheers,
James



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html