Exercising Challenge/Response code path in pam client?

Richard Perrin rcp at sentientmeat.ca
Fri Sep 23 21:40:14 CEST 2016

On Fri, Sep 23, 2016 at 1:57 PM, Alan DeKok <aland at deployingradius.com> wrote:
> On Sep 23, 2016, at 1:15 PM, Richard Perrin <rcp at sentientmeat.ca> wrote:
[snip text and config]
>   You need to do EVERYTHING to manage the challenge yourself.  You need to understand how challenge-response works in RADIUS.
[snip config]
>   Of course, this presumes that the NAS understands challenge-response.  Which it might not.

When I add in a State value, that config successfully gets a challenge
and response from the pam module on Linux (libpam-radius-auth-1.3.17).
Surprisingly, it didn't prompt there though. Largely this highlights,
much like you said, that I don't sufficiently understand how
challenge-response works in RADIUS.

>   To be honest, there's pretty much no reason to invent your own challenge-response mechanism.  Using an existing one is much preferred.

Which of the existing methods would you select for least friction in

- Richard

More information about the Freeradius-Users mailing list