Is it possible to use CHAP authentication with pam_radius?
aland at deployingradius.com
Thu Sep 26 19:11:17 CEST 2019
On Sep 26, 2019, at 1:06 PM, Dan Swartzendruber <dswartz at druber.com> wrote:
> I'm trying to implement external authentication for an appliance running CentOS 7. My research turned up the easiest solution as simply installing pam_radius from the repository. I did, and it works just fine (tested against a Freeradius 3.0 server with a single test user.) Running freeradiux with '-X' indicates that is using PAP:
> For security reasons, I'd really like to use CHAP instead, but it doesn't seem to support that? The man pages and such don't mention CHAP. I went as far as downloading 1.4.0 and extracting the tarball and looking at the code. User-Password is Radius attribute 2, and looking at the source:
The pam_radius_auth module doesn't do CHAP.
TBH, any "security" argument is not really relevant. The whole idea of "PAP is insecure" is a marketing checklist, not a security analysis.
More information about the Freeradius-Users