libpam-radius-auth and EAP

Sebastien Chapiron sebastien.chapiron at
Wed Mar 10 22:23:34 CET 2010

I'm trying to setup a radius server in order to authenticate users from
OpenVPN and I am therefore using the libpam-radius-auth plugin (on Ubuntu
Since the RADIUS requests that this lib sends are using PAP (as far as I can
tell from the freeradius debug output), i was wondering whether it would be
possible to send EAP message using libpam-radius-auth (or at least [MS]CHAP)
? I don't even know if it makes sense since EAP messages are in theory sent
between the radius server and the access client (not the radius client as
libpam-radius-auth enables a host to be).
The point is that i don't quite like my users' password (connected via
OpenVPN) to be weakly encrypted by the shared secret between the radius
client and server and even worse, visible as plain-text in FR debug output.
I hope someone will be able to shed some light here because i might be
confused over this whole EAP over RADIUS thing... I just want the easiest
solution to make the radius communications more secure in my scenario.

Thanks for you help ;)

P.S: using IPSec to secure the channel between the radius client and server
is too much pain in the ass to be considered as a viable solution. I'm not
*that* paranoid !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list