Authenticator -to- RADIUS connection

Alan DeKok aland at
Tue Oct 5 15:33:38 CEST 2021

On Oct 5, 2021, at 9:29 AM, Turner, Randy <Randy.Turner at> wrote:
> There appears to be numerous modules for allowing RADIUS clients to authenticate in any number of ways…but I didn’t see any modules that control how the “authenticator” authenticates to FreeRADIUS…

  For the simple reason that it's impossible.

  How does a web server control whether the browser does GET / POST / whatever?

  How does a DNS server control whether the client asks for an A / AAA / NS record?

  It doesn't.  It's impossible.

  FreeRADIUS supports PAP, CHAP, MS-CHAP, HTTP Digest, EAP, etc.  All of this is documented.  There is simply no way (outside of very narrow situations) for the server to tell the client "use CHAP and not PAP".

  Alan DeKok.

More information about the Freeradius-Users mailing list