Does freeradius-client library support CHAP protocol?

Thierry MUSEUX - www.fwt.fr - tm at fwt.fr
Thu Mar 19 11:01:19 UTC 2009


With svn 195 i have this error with make or with dpkg-buildpackage
-rfakeroot:


In file included from ippool.c:17:
md5.h:29: error: conflicting types for 'MD5_CTX'
/usr/include/openssl/md5.h:106: error: previous declaration of 'MD5_CTX' was
here

Thierry Museux


-----Message d'origine-----
De : wlanmac [mailto:wlan at mac.com] 
Envoyé : mercredi 18 mars 2009 17:44
À : FreeRadius developers mailing list
Cc : chilli at coova.org
Objet : Re: Does freeradius-client library support CHAP protocol?

It might be good timing then, for CoovaChilli to start expanding beyond
PAP and CHAP. To that end, I added some MS-CHAPv2 features into the SVN
version. Support for MS-CHAPv2 comes in two flavors:

- In the chilli logon URL, it already looks for a 'password' (encoded
p/w for PAP) or a 'response' (for CHAP), and now accepts
'ntresponse' (for MS-CHAPv2). This will allow the portal to format a
MS-CHAPv2 Response to have chilli send through. 

- An option 'mschapv2' which will use MS-CHAPv2 instead of PAP for
authentication where the logon URL is sent a 'password'. For the
additional crypto, started to use OpenSSL (optional during configure) -
which might allow for additional features too. 

Question, comments, or bug reports please reply to chilli's list. 

cheers, 


On Wed, 2009-03-18 at 08:12 +0100, Alan DeKok wrote:
> wlanmac wrote:
> > I disagree that CHAP is without use. In fact, it could even be one of
> > the most used protocols, at least for hotspot (captive portal)
> > authentication, second to only PAP.
> 
>   It is one of the most used protocols after PAP, especially for hotspot
> logins.  That doesn't make it a good idea.
> 
>   Most captive portals use CHAP because they were designed a long time
> ago, and CHAP was more widely used then.
> 
> > I think you want to pick your
> > protocol carefully, depending on the application and other requirements.
> > PAP, for instance, is a bad choice if your shared secret isn't all that
> > secret (like with FON, for instance).
> 
>   Yes.  But that doesn't mean CHAP is the best choice.
> 
>   I've seen switches that do CHAP for wired "captive portals".  This is
> *crazy*, because most companies that can afford $5K for a switch use
> Active Directory... which is incompatible with CHAP.
> 
> > In all, I think each protocol has
> > it's place and use. In some situations, protocols might be useless or
> > unavailable. But, in another networks and environments, the same
> > protocol might be very suitable or the only option available. 
> 
>   There are very, very, few places where CHAP is suitable.  They mostly
> are situations like "I want to use CHAP, because I want to use CHAP."
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/devel.html


---------------------------------------------------------------------
To unsubscribe, e-mail: chilli-unsubscribe at coova.org
For additional commands, e-mail: chilli-help at coova.org
Wiki: http://coova.org/wiki/index.php/CoovaChilli
Forum: http://coova.org/phpBB3/viewforum.php?f=4





More information about the Chilli mailing list