Is it possible to use CHAP authentication with pam_radius?

Alan DeKok aland at
Thu Sep 26 19:11:17 CEST 2019

On Sep 26, 2019, at 1:06 PM, Dan Swartzendruber <dswartz at> wrote:
> I'm trying to implement external authentication for an appliance running CentOS 7.  My research turned up the easiest solution as simply installing pam_radius from the repository.  I did, and it works just fine (tested against a Freeradius 3.0 server with a single test user.)  Running freeradiux with '-X' indicates that is using PAP:
> ...
> For security reasons, I'd really like to use CHAP instead, but it doesn't seem to support that?  The man pages and such don't mention CHAP.  I went as far as downloading 1.4.0 and extracting the tarball and looking at the code.  User-Password is Radius attribute 2, and looking at the source:

  The pam_radius_auth module doesn't do CHAP.

  TBH, any "security" argument is not really relevant.  The whole idea of "PAP is insecure" is a marketing checklist, not a security analysis.

  Alan DeKok.

More information about the Freeradius-Users mailing list