What is CHAP-Challenge for?

Alan DeKok aland at deployingradius.com
Mon Feb 11 03:22:05 CET 2013

On 2013-02-10, at 8:52 PM, JCA <1.41421 at gmail.com> wrote:

> I am looking into CHAP authentication, and I am having difficulties
> understanding what the CHAP-Challenge attribute is exactly for.

  Read RFC 2865, section 5.3.  It's all explained there. 

> So, what's the use of the CHAP-Challenge attribute? RFC 2865 says that
> if its value is 16 bytes long then this value can be that of the
> Request Authenticator field, thus disposing of CHAP-Challenge
> altogether.

  Which is a bad idea.  See RFC 6158 section B.2

> What 
> does therefore CHAP-Challenge do that is not already
> done by the Request Authenticator field?

  It's not a hack.

> Are there any sets of
> circumstances in which using the CHAP-Challenge attribute is
> advisable?

  Always.  The use of the request authentication is a holdover from 20 years ago, before RADIUS started getting peer review. 

> Actually, what's the point of using CHAP-Password at all,
> when User-Password seems to be at least as, if not more, secure a
> protocol?

    Historical practice.

  Alan DeKok.

More information about the Freeradius-Devel mailing list