Does freeradius-client library support CHAP protocol?
Thierry MUSEUX - www.fwt.fr -
tm at fwt.fr
Thu Mar 19 11:01:19 UTC 2009
With svn 195 i have this error with make or with dpkg-buildpackage
-rfakeroot:
In file included from ippool.c:17:
md5.h:29: error: conflicting types for 'MD5_CTX'
/usr/include/openssl/md5.h:106: error: previous declaration of 'MD5_CTX' was
here
Thierry Museux
-----Message d'origine-----
De : wlanmac [mailto:wlan at mac.com]
Envoyé : mercredi 18 mars 2009 17:44
À : FreeRadius developers mailing list
Cc : chilli at coova.org
Objet : Re: Does freeradius-client library support CHAP protocol?
It might be good timing then, for CoovaChilli to start expanding beyond
PAP and CHAP. To that end, I added some MS-CHAPv2 features into the SVN
version. Support for MS-CHAPv2 comes in two flavors:
- In the chilli logon URL, it already looks for a 'password' (encoded
p/w for PAP) or a 'response' (for CHAP), and now accepts
'ntresponse' (for MS-CHAPv2). This will allow the portal to format a
MS-CHAPv2 Response to have chilli send through.
- An option 'mschapv2' which will use MS-CHAPv2 instead of PAP for
authentication where the logon URL is sent a 'password'. For the
additional crypto, started to use OpenSSL (optional during configure) -
which might allow for additional features too.
Question, comments, or bug reports please reply to chilli's list.
cheers,
On Wed, 2009-03-18 at 08:12 +0100, Alan DeKok wrote:
> wlanmac wrote:
> > I disagree that CHAP is without use. In fact, it could even be one of
> > the most used protocols, at least for hotspot (captive portal)
> > authentication, second to only PAP.
>
> It is one of the most used protocols after PAP, especially for hotspot
> logins. That doesn't make it a good idea.
>
> Most captive portals use CHAP because they were designed a long time
> ago, and CHAP was more widely used then.
>
> > I think you want to pick your
> > protocol carefully, depending on the application and other requirements.
> > PAP, for instance, is a bad choice if your shared secret isn't all that
> > secret (like with FON, for instance).
>
> Yes. But that doesn't mean CHAP is the best choice.
>
> I've seen switches that do CHAP for wired "captive portals". This is
> *crazy*, because most companies that can afford $5K for a switch use
> Active Directory... which is incompatible with CHAP.
>
> > In all, I think each protocol has
> > it's place and use. In some situations, protocols might be useless or
> > unavailable. But, in another networks and environments, the same
> > protocol might be very suitable or the only option available.
>
> There are very, very, few places where CHAP is suitable. They mostly
> are situations like "I want to use CHAP, because I want to use CHAP."
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/devel.html
---------------------------------------------------------------------
To unsubscribe, e-mail: chilli-unsubscribe at coova.org
For additional commands, e-mail: chilli-help at coova.org
Wiki: http://coova.org/wiki/index.php/CoovaChilli
Forum: http://coova.org/phpBB3/viewforum.php?f=4
More information about the Chilli
mailing list