What is CHAP-Challenge for?
Alan DeKok
aland at deployingradius.com
Mon Feb 11 03:22:05 CET 2013
On 2013-02-10, at 8:52 PM, JCA <1.41421 at gmail.com> wrote:
> I am looking into CHAP authentication, and I am having difficulties
> understanding what the CHAP-Challenge attribute is exactly for.
Read RFC 2865, section 5.3. It's all explained there.
> So, what's the use of the CHAP-Challenge attribute? RFC 2865 says that
> if its value is 16 bytes long then this value can be that of the
> Request Authenticator field, thus disposing of CHAP-Challenge
> altogether.
Which is a bad idea. See RFC 6158 section B.2
> What
> does therefore CHAP-Challenge do that is not already
> done by the Request Authenticator field?
It's not a hack.
> Are there any sets of
> circumstances in which using the CHAP-Challenge attribute is
> advisable?
Always. The use of the request authentication is a holdover from 20 years ago, before RADIUS started getting peer review.
> Actually, what's the point of using CHAP-Password at all,
> when User-Password seems to be at least as, if not more, secure a
> protocol?
Historical practice.
Alan DeKok.
More information about the Freeradius-Devel
mailing list