Does freeradius-client library support CHAP protocol?

Alan DeKok aland at
Tue Mar 17 19:46:55 CET 2009

Tarkshya wrote:
> If my understanding is correct, (and I might be totally wrong here),
> then the PAP protocol sends the user passwords in clear text over the
> wire.

  No.  The PAP protocol encrypts the password on the wire.

> On the other hand, CHAP protocol uses a shared secret between
> the client and server to encrypt the passwords being sent over the
> wire.

  No.  The CHAP protocol sends a *hash* of thge password.

> Since I do see the use of shared secret in freeradius-client library
> configuration file, I assume that the library does support CHAP.

  No.  The shared secret is used to sign RADIUS packets, and to encrypt
the PAP password.

> However, in the source code of the library, I notice that the section
> doing the CHAP processing is turned off using the #if 0 directive.
> Meaning CHAP is not being used.
> What gives?

  The code doesn't support CHAP.  CHAP is nearly useless, and not
recommended for new configurations.

> Also, after wading through the archives of this mailing list, I came
> across the post of one user who had asked exactly the same question,
> that is to say, whether CHAP is supported or not. The answer he got
> was that, "at this stage, better not use CHAP". This is an ambiguous
> reply as far as I am concerned because it evades a direct answer.

  What do you not understand about "better not use CHAP"?  It's a fine

  If you want a *detailed* explanation as to why, please ensure that you
understand how the basic protocol works, first.  There's no point in
giving a technical explanation if you're unfamiliar with the background

  Don't use CHAP.  It's useless.

  You can believe that, or you can spend days (weeks) reading about the
protocol, the encryption methods, and the common use cases.  After all
that effort, you will conclude that CHAP is nearly useless.

  Alan DeKok

More information about the Freeradius-Devel mailing list