Tue Mar 24, 2015 5:17 pm
CHAP requires cleartext passwords in the user database.
PAP does not require cleartext passwords.
If your user DB has hashed passwords, then simply disable http-chap as a login method, and enable http-pap.
Here's why:
In CHAP authentication, the user agent sends a password hash, and not the password. So if the user types "mypass" into the password field on the login page, the RADIUS request will have some hash of 'mypass' in stead. The RADIUS server receives the request, and then takes the user's clear-text password from the DB, and hashes the password. If this hash matches the one the user sent, then the user's password was correct and authentication is completed.
In PAP authentication, the password submitted by the user attempting to log in is sent in the clear to the RADIUS server. The RADIUS server then hashes the attempted password and compares this hash to the one stored in the user DB. If the hashes match, then the user's password was correct and authentication is completed.
See the difference?
In CHAP - the radius server has no idea what the user actually typed as their attempt, so it must have unencrypted passwords to see if they hash the same way as the user's login request.