Is it possible to use CHAP authentication with pam_radius?

Dan Swartzendruber dswartz at
Thu Sep 26 20:29:06 CEST 2019

On 2019-09-26 14:18, Alan DeKok wrote:
> On Sep 26, 2019, at 2:11 PM, Dan Swartzendruber <dswartz at> 
> wrote:
>> No argument here.  Unfortunately, some of our customers are 
>> anal-retentive and have security compliance audits run, and having 
>> cleartext passwords is going to be problematic.
>   The passwords aren't clear-text.  They're encrypted on the wire.
> Just like PAP.

I thought I had seen criticisms that it the encryption wasn't that 
strong.  Maybe I misunderstood...

>>  I'm wondering if I could tunnel RADIUS over TCP using an ssh tunnel?  
>> This is a very small number of customers who will care, but they have 
>> a disproportionate influence...
>   The pam_radius module doesn't support TCP.
>   If you care, submit a patch so that the pam_radius module does CHAP.
>  It should be ~30 LoC.

I might give that a try, thanks!

More information about the Freeradius-Users mailing list