Does freeradius-client library support CHAP protocol?
tarkshya at gmail.com
Thu Apr 2 00:50:08 CEST 2009
I am going to build CHAP support in the freeradius client library. My
question is, does freeradius server at least support CHAP? Or do I
have to find another radius server to deploy it in CHAP mode?
Does anybody know any other radius servers that support CHAP, and
possibly MS-CHAP too.
On Wed, Mar 18, 2009 at 12:43 PM, wlanmac <wlan at mac.com> wrote:
> It might be good timing then, for CoovaChilli to start expanding beyond
> PAP and CHAP. To that end, I added some MS-CHAPv2 features into the SVN
> version. Support for MS-CHAPv2 comes in two flavors:
> - In the chilli logon URL, it already looks for a 'password' (encoded
> p/w for PAP) or a 'response' (for CHAP), and now accepts
> 'ntresponse' (for MS-CHAPv2). This will allow the portal to format a
> MS-CHAPv2 Response to have chilli send through.
> - An option 'mschapv2' which will use MS-CHAPv2 instead of PAP for
> authentication where the logon URL is sent a 'password'. For the
> additional crypto, started to use OpenSSL (optional during configure) -
> which might allow for additional features too.
> Question, comments, or bug reports please reply to chilli's list.
> On Wed, 2009-03-18 at 08:12 +0100, Alan DeKok wrote:
>> wlanmac wrote:
>> > I disagree that CHAP is without use. In fact, it could even be one of
>> > the most used protocols, at least for hotspot (captive portal)
>> > authentication, second to only PAP.
>> It is one of the most used protocols after PAP, especially for hotspot
>> logins. That doesn't make it a good idea.
>> Most captive portals use CHAP because they were designed a long time
>> ago, and CHAP was more widely used then.
>> > I think you want to pick your
>> > protocol carefully, depending on the application and other requirements.
>> > PAP, for instance, is a bad choice if your shared secret isn't all that
>> > secret (like with FON, for instance).
>> Yes. But that doesn't mean CHAP is the best choice.
>> I've seen switches that do CHAP for wired "captive portals". This is
>> *crazy*, because most companies that can afford $5K for a switch use
>> Active Directory... which is incompatible with CHAP.
>> > In all, I think each protocol has
>> > it's place and use. In some situations, protocols might be useless or
>> > unavailable. But, in another networks and environments, the same
>> > protocol might be very suitable or the only option available.
>> There are very, very, few places where CHAP is suitable. They mostly
>> are situations like "I want to use CHAP, because I want to use CHAP."
>> Alan DeKok.
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
More information about the Freeradius-Devel