What is CHAP-Challenge for?

JCA 1.41421 at gmail.com
Mon Feb 11 02:52:17 CET 2013

I am looking into CHAP authentication, and I am having difficulties
understanding what the CHAP-Challenge attribute is exactly for.

Using the radclient utility that ships with freeradius-server 2.2.0 I
can do the following:

   echo "User-Name = MyName, CHAP-Password = MyPassword,
CHAP-Challenge = 0123456789" | ./radclient auth

Provided that the RADIUS server at is alive and correctly
configured (i.e. username, password and shared all match the values
above) everything works fine, in that the CHAP authentication
succeeds, as expected.  However, if I do

  echo "User-Name = MyName, CHAP-Password = MyPassword" | ./radclient auth SharedSecret

this also succeeds.

So, what's the use of the CHAP-Challenge attribute? RFC 2865 says that
if its value is 16 bytes long then this value can be that of the
Request Authenticator field, thus disposing of CHAP-Challenge
altogether. What does therefore CHAP-Challenge do that is not already
done by the Request Authenticator field? Are there any sets of
circumstances in which using the CHAP-Challenge attribute is
advisable? Actually, what's the point of using CHAP-Password at all,
when User-Password seems to be at least as, if not more, secure a

More information about the Freeradius-Devel mailing list