configure freeRADIUS with a CHAP "access-challenge" message

Herwin Weststrate herwin at quarantainenet.nl
Wed Jul 22 11:06:51 CEST 2015


On 22-07-15 08:27, Arul Sundaramoorthy wrote:
> Hi,
> 
> Can anyone please let me know How to configure freeRADIUS server so it
> replies with a CHAP "access-challenge" message on "access-request" from a
> client?

The name CHAP is a bit misleading (at least in RADIUS context), because
there is no Challenge or Handshake in the RADIUS conversation. The
attribute CHAP-Password is just a hash calculated from the plaintext
password and the identifier and authenticator of the packet. This is
included in the Access-Request, and since there's no more need for more
information the server response will be an Access-Accept or
Access-Reject. That's just how CHAP works.

Having said this, you might want to reconsider if you really want to use
CHAP in your application. The protocol requires all passwords to be
plaintext on the server and there is virtually no replay protection.
Some more information: chapter 5.2.1 of
http://networkradius.com/doc/FreeRADIUS-Implementation-Ch5.pdf

-- 
Herwin Weststrate



More information about the Freeradius-Users mailing list