On Tue, 10 Jan 2017 01:50:31 +0000 Pete Zabagel <pete.zaba...@outlook.com> wrote: > I noticed in the radiusd.conf man page that the bsdauth module only > supports PAP: > > "It only supports PAP, password based authentication." > > Is there a specific reason as to why CHAP isn't implemented?
This limitation is come from the "bsdauth" module. The BSD authentication requires the plain password for authentication. See bsd_userokay(3). So radiusd(8) needs to get the plain password from the RADIUS client and the client can't use "CHAP" since the client doesn't get the plain password through "CHAP". > I am assuming it is due to time / interest constraints but perhaps the > quality of CHAP is in question too -- I see in the RFC that MD5 is > assigned a specific value, making me wonder if MD5 is the predominant > algorithm of CHAP implementations in the wild and perhaps considered > insecure by the community. > > On a side note, does anyone know which algorithms are used in CHAP > besides MD5? Currently MS-CHAP version 2 is also supported by the "radius" module as well. I'd like to add EAP capability to radiusd(8) to support stronger algorithms. --yasuoka
