There's a wireless network that I sometimes need to connect to that uses WPA2 with EAP-TTLS and PAP as "inner" protocol.
I've been sent a certificate file (presumably for the TTLS to work) and given a user identity and a initial password (which I was advised to - and did - change through a web interface).
Now, is it correct that the above configuration implies that my identity and my password (the one I chose through the web interface) will be available to the authentication server (not encrypted / hashed)?
Background: The combination of user id and password is not only used to access that network but also to authenticate me at some web sites, on which I can perfom task that may result in legal consequences for me. Note that the web sites and the network are provided by the same institution, and I cannot change passwords (or identity) for any of those of the separately. Thus I'm concerned that a malicious actor with access to the authentification server of that network can (ab)use my identity and password.
