Sending Access-Challenge instead of Access-Accept using MS-CHAPv2

Alan DeKok aland at
Thu Mar 16 14:42:56 CET 2017

> On Mar 13, 2017, at 9:47 AM, Lasse Odden <lasse.odden at> wrote:
> I tried to add the same MS-CHAP2-Success attribute in the Access-Accept
> that the mschap modules sendt in the first authentication process where I
> had replaced the Access-Accept with an Access-Challengeand, and this
> worked.

  That surprises me, to be honest.

> So I guess I can save the attribute and then send it again if the passcode
> is verified, but this does not seem like a very good solution.

  If it works...

> But on the other hand, the encryption of the users passwords are needed.


  The passwords are encrypted on the wire.  I have no idea why people are so dead-set against using PAP.

  To be honest, PAP in RADIUS is *more* secure than MS-CHAP.  MS-CHAPv2 can typically be cracked in a day:

  Anyone who can see the RADIUS packets can crack MS-CHAPv2 with small amounts of effort.  In contrast, the PAP encryption in RADIUS has *zero* cracks after almost 25 years.

  Stop taking a naive approach to security.  Use what the experts recommend, because they know rather a lot more about the situation than you do.

  Alan DeKok.

More information about the Freeradius-Users mailing list