Authenticator -to- RADIUS connection

Turner, Randy Randy.Turner at
Tue Oct 5 15:36:33 CEST 2021

I guess I was thinking about using mutual TLS for the authenticator to authenticate itself to the FreeRADIUS server…rather than a username and password..


From: Freeradius-Users < at> on behalf of Alan DeKok <aland at>
Date: Tuesday, October 5, 2021 at 9:33 AM
To: FreeRadius users mailing list <freeradius-users at>
Subject: Re: Authenticator -to- RADIUS connection
On Oct 5, 2021, at 9:29 AM, Turner, Randy <Randy.Turner at> wrote:
> There appears to be numerous modules for allowing RADIUS clients to authenticate in any number of ways…but I didn’t see any modules that control how the “authenticator” authenticates to FreeRADIUS…

  For the simple reason that it's impossible.

  How does a web server control whether the browser does GET / POST / whatever?

  How does a DNS server control whether the client asks for an A / AAA / NS record?

  It doesn't.  It's impossible.

  FreeRADIUS supports PAP, CHAP, MS-CHAP, HTTP Digest, EAP, etc.  All of this is documented.  There is simply no way (outside of very narrow situations) for the server to tell the client "use CHAP and not PAP".

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list