Does freeradius-client library support CHAP protocol?
wlanmac
wlan at mac.com
Wed Mar 18 17:43:44 CET 2009
It might be good timing then, for CoovaChilli to start expanding beyond
PAP and CHAP. To that end, I added some MS-CHAPv2 features into the SVN
version. Support for MS-CHAPv2 comes in two flavors:
- In the chilli logon URL, it already looks for a 'password' (encoded
p/w for PAP) or a 'response' (for CHAP), and now accepts
'ntresponse' (for MS-CHAPv2). This will allow the portal to format a
MS-CHAPv2 Response to have chilli send through.
- An option 'mschapv2' which will use MS-CHAPv2 instead of PAP for
authentication where the logon URL is sent a 'password'. For the
additional crypto, started to use OpenSSL (optional during configure) -
which might allow for additional features too.
Question, comments, or bug reports please reply to chilli's list.
cheers,
On Wed, 2009-03-18 at 08:12 +0100, Alan DeKok wrote:
> wlanmac wrote:
> > I disagree that CHAP is without use. In fact, it could even be one of
> > the most used protocols, at least for hotspot (captive portal)
> > authentication, second to only PAP.
>
> It is one of the most used protocols after PAP, especially for hotspot
> logins. That doesn't make it a good idea.
>
> Most captive portals use CHAP because they were designed a long time
> ago, and CHAP was more widely used then.
>
> > I think you want to pick your
> > protocol carefully, depending on the application and other requirements.
> > PAP, for instance, is a bad choice if your shared secret isn't all that
> > secret (like with FON, for instance).
>
> Yes. But that doesn't mean CHAP is the best choice.
>
> I've seen switches that do CHAP for wired "captive portals". This is
> *crazy*, because most companies that can afford $5K for a switch use
> Active Directory... which is incompatible with CHAP.
>
> > In all, I think each protocol has
> > it's place and use. In some situations, protocols might be useless or
> > unavailable. But, in another networks and environments, the same
> > protocol might be very suitable or the only option available.
>
> There are very, very, few places where CHAP is suitable. They mostly
> are situations like "I want to use CHAP, because I want to use CHAP."
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
More information about the Freeradius-Devel
mailing list