I am looking into CHAP authentication, and I am having difficulties understanding what the CHAP-Challenge attribute is exactly for. Using the radclient utility that ships with freeradius-server 2.2.0 I can do the following: echo "User-Name = MyName, CHAP-Password = MyPassword, CHAP-Challenge = 0123456789" | ./radclient 192.168.0.2 auth SharedSecret Provided that the RADIUS server at 192.168.0.2 is alive and correctly configured (i.e. username, password and shared all match the values above) everything works fine, in that the CHAP authentication succeeds, as expected. However, if I do echo "User-Name = MyName, CHAP-Password = MyPassword" | ./radclient 192.168.0.2 auth SharedSecret this also succeeds. So, what's the use of the CHAP-Challenge attribute? RFC 2865 says that if its value is 16 bytes long then this value can be that of the Request Authenticator field, thus disposing of CHAP-Challenge altogether. What does therefore CHAP-Challenge do that is not already done by the Request Authenticator field? Are there any sets of circumstances in which using the CHAP-Challenge attribute is advisable? Actually, what's the point of using CHAP-Password at all, when User-Password seems to be at least as, if not more, secure a protocol?