Is it possible to use CHAP authentication with pam_radius?

Alan DeKok aland at
Thu Sep 26 20:18:16 CEST 2019

On Sep 26, 2019, at 2:11 PM, Dan Swartzendruber <dswartz at> wrote:
> No argument here.  Unfortunately, some of our customers are anal-retentive and have security compliance audits run, and having cleartext passwords is going to be problematic.

  The passwords aren't clear-text.  They're encrypted on the wire.  Just like PAP.

>  I'm wondering if I could tunnel RADIUS over TCP using an ssh tunnel?  This is a very small number of customers who will care, but they have a disproportionate influence...

  The pam_radius module doesn't support TCP.

  If you care, submit a patch so that the pam_radius module does CHAP.  It should be ~30 LoC.

  Alan DeKok.

More information about the Freeradius-Users mailing list