Sending Access-Challenge instead of Access-Accept using MS-CHAPv2
b.candler at pobox.com
Thu Mar 16 18:01:32 CET 2017
On 16/03/2017 13:42, Alan DeKok wrote:
> Anyone who can see the RADIUS packets can crack MS-CHAPv2 with small amounts of effort. In contrast, the PAP encryption in RADIUS has*zero* cracks after almost 25 years.
This is true.
There is an operational reason why you still might want to use MS-CHAPv2
though, which is that it permits password expiry and password changing
as part of the exchange. This can be quite a nice user experience, for
those clients which support it anyway. It avoids having to rely on the
user connecting to some other service to get prompted that it's time to
change their password.
I'm talking about MS-CHAPv2 inside TLS of course. Don't even think
about PPTP across the open Internet :-)
More information about the Freeradius-Users