MS-CHAP: what password backends can be used?

Alan DeKok aland at
Thu May 11 15:42:00 CEST 2006

Alain Fauconnet <alain at> wrote:
> Then I must have missed it. I probably have searched for the wrong
> keywords... yes, I see now in the FAQ, I should have searched for
> "chap" and not "ms-chap" or "mschap". Sorry.

  You're not the first person to ask this question.  Google should
return a *lot* of answers.

> This PPTP so encryption is MPPE.
> When you configure a Windows client for a VPN (PPTP)
> connection, if you enable encryption and allow anything but MS-CHAP
> and MS-CHAP-V2, it says that if anything else is used (such as PAP),
> encryption will be disabled.

  Ah.  That would appear to be definitive, then.

> Well, I've inherited this installation and the Radius service is used
> for a dozen different things so I have to be very careful not to break
> anything. Anyway why is PAM so evil by itself?

  I've been working with PAM for many years.  I've never liked it.

  If nothing else, PAM isnt designed to be used in the way that
FreeRADIUS is using it: one process doing many PAM authentications.
It's meant to be used by "login", and similar programs.  We've had
problems in the past with PAM because of this.

> OK, assuming I have a smbpasswd format file somewhere (not the case
> now), I should configure the mschap *and* passwd modules,
> uncommenting out:


  Alan DeKok.

More information about the Freeradius-Users mailing list