Does freeradius-client library support CHAP protocol?

Alan DeKok aland at
Wed Mar 18 08:12:22 CET 2009

wlanmac wrote:
> I disagree that CHAP is without use. In fact, it could even be one of
> the most used protocols, at least for hotspot (captive portal)
> authentication, second to only PAP.

  It is one of the most used protocols after PAP, especially for hotspot
logins.  That doesn't make it a good idea.

  Most captive portals use CHAP because they were designed a long time
ago, and CHAP was more widely used then.

> I think you want to pick your
> protocol carefully, depending on the application and other requirements.
> PAP, for instance, is a bad choice if your shared secret isn't all that
> secret (like with FON, for instance).

  Yes.  But that doesn't mean CHAP is the best choice.

  I've seen switches that do CHAP for wired "captive portals".  This is
*crazy*, because most companies that can afford $5K for a switch use
Active Directory... which is incompatible with CHAP.

> In all, I think each protocol has
> it's place and use. In some situations, protocols might be useless or
> unavailable. But, in another networks and environments, the same
> protocol might be very suitable or the only option available. 

  There are very, very, few places where CHAP is suitable.  They mostly
are situations like "I want to use CHAP, because I want to use CHAP."

  Alan DeKok.

More information about the Freeradius-Devel mailing list