Does freeradius-client library support CHAP protocol?

wlanmac wlan at
Wed Mar 18 07:25:06 CET 2009


I disagree that CHAP is without use. In fact, it could even be one of
the most used protocols, at least for hotspot (captive portal)
authentication, second to only PAP. I think you want to pick your
protocol carefully, depending on the application and other requirements.
PAP, for instance, is a bad choice if your shared secret isn't all that
secret (like with FON, for instance). In all, I think each protocol has
it's place and use. In some situations, protocols might be useless or
unavailable. But, in another networks and environments, the same
protocol might be very suitable or the only option available. 


On Tue, 2009-03-17 at 19:46 +0100, Alan DeKok wrote:
> Tarkshya wrote:
> > If my understanding is correct, (and I might be totally wrong here),
> > then the PAP protocol sends the user passwords in clear text over the
> > wire.
>   No.  The PAP protocol encrypts the password on the wire.
> > On the other hand, CHAP protocol uses a shared secret between
> > the client and server to encrypt the passwords being sent over the
> > wire.
>   No.  The CHAP protocol sends a *hash* of thge password.
> > Since I do see the use of shared secret in freeradius-client library
> > configuration file, I assume that the library does support CHAP.
>   No.  The shared secret is used to sign RADIUS packets, and to encrypt
> the PAP password.
> > However, in the source code of the library, I notice that the section
> > doing the CHAP processing is turned off using the #if 0 directive.
> > Meaning CHAP is not being used.
> > 
> > What gives?
>   The code doesn't support CHAP.  CHAP is nearly useless, and not
> recommended for new configurations.
> > Also, after wading through the archives of this mailing list, I came
> > across the post of one user who had asked exactly the same question,
> > that is to say, whether CHAP is supported or not. The answer he got
> > was that, "at this stage, better not use CHAP". This is an ambiguous
> > reply as far as I am concerned because it evades a direct answer.
>   What do you not understand about "better not use CHAP"?  It's a fine
> answer.
>   If you want a *detailed* explanation as to why, please ensure that you
> understand how the basic protocol works, first.  There's no point in
> giving a technical explanation if you're unfamiliar with the background
> information.
>   Don't use CHAP.  It's useless.
>   You can believe that, or you can spend days (weeks) reading about the
> protocol, the encryption methods, and the common use cases.  After all
> that effort, you will conclude that CHAP is nearly useless.
>   Alan DeKok
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Devel mailing list