I have a test hotspot set to use radius to permit hotspot logins. I don’t need the radius servers to supply anything to the MT other than yes/no to login requests.
The preferred radius servers are using a flat file and unix password authentication. I can not use http-chap as a login-by= authentication method in /ip hotspot profile. I have to use http-pap to make the authentication work. This is a Radiator radius server that works for existing non-MT authentication needs.
I have another production radius server (freeradius) we use successfully for pppoe, setup as described in the wiki here. It uses mysql for the authentication database and works fine with http-chap, but the radius server hands out the IP address that a pppoe server would use, but I don’t want the radius server to provide a hotspot MT login an IP address.
Does this mean the password is unencrypted over the air when the user logs into the hotspot when using the http-pap authentication method?
If so, what is the best method to encrypt the login process?
I don’t really want login passwords viewable from someone observing wireless traffic with ethereal/wireshark/tcpdump.
If a certificate is used, must it be a https certificate made for each MT hotspot host?
I have a third radius server for testing that can run freeradius or Radiator if neither of these setups are usable.
Thanks!