Does freeradius-client library support CHAP protocol?

wlanmac wlan at
Wed Mar 18 17:43:44 CET 2009

It might be good timing then, for CoovaChilli to start expanding beyond
PAP and CHAP. To that end, I added some MS-CHAPv2 features into the SVN
version. Support for MS-CHAPv2 comes in two flavors:

- In the chilli logon URL, it already looks for a 'password' (encoded
p/w for PAP) or a 'response' (for CHAP), and now accepts
'ntresponse' (for MS-CHAPv2). This will allow the portal to format a
MS-CHAPv2 Response to have chilli send through. 

- An option 'mschapv2' which will use MS-CHAPv2 instead of PAP for
authentication where the logon URL is sent a 'password'. For the
additional crypto, started to use OpenSSL (optional during configure) -
which might allow for additional features too. 

Question, comments, or bug reports please reply to chilli's list. 


On Wed, 2009-03-18 at 08:12 +0100, Alan DeKok wrote:
> wlanmac wrote:
> > I disagree that CHAP is without use. In fact, it could even be one of
> > the most used protocols, at least for hotspot (captive portal)
> > authentication, second to only PAP.
>   It is one of the most used protocols after PAP, especially for hotspot
> logins.  That doesn't make it a good idea.
>   Most captive portals use CHAP because they were designed a long time
> ago, and CHAP was more widely used then.
> > I think you want to pick your
> > protocol carefully, depending on the application and other requirements.
> > PAP, for instance, is a bad choice if your shared secret isn't all that
> > secret (like with FON, for instance).
>   Yes.  But that doesn't mean CHAP is the best choice.
>   I've seen switches that do CHAP for wired "captive portals".  This is
> *crazy*, because most companies that can afford $5K for a switch use
> Active Directory... which is incompatible with CHAP.
> > In all, I think each protocol has
> > it's place and use. In some situations, protocols might be useless or
> > unavailable. But, in another networks and environments, the same
> > protocol might be very suitable or the only option available. 
>   There are very, very, few places where CHAP is suitable.  They mostly
> are situations like "I want to use CHAP, because I want to use CHAP."
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Devel mailing list