Sending Access-Challenge instead of Access-Accept using MS-CHAPv2

Brian Candler b.candler at
Thu Mar 16 18:01:32 CET 2017

On 16/03/2017 13:42, Alan DeKok wrote:
>    Anyone who can see the RADIUS packets can crack MS-CHAPv2 with small amounts of effort.  In contrast, the PAP encryption in RADIUS has*zero*  cracks after almost 25 years.

This is true.

There is an operational reason why you still might want to use MS-CHAPv2 
though, which is that it permits password expiry and password changing 
as part of the exchange.  This can be quite a nice user experience, for 
those clients which support it anyway. It avoids having to rely on the 
user connecting to some other service to get prompted that it's time to 
change their password.

I'm talking about MS-CHAPv2 inside TLS of course.  Don't even think 
about PPTP across the open Internet :-)



More information about the Freeradius-Users mailing list