02. RADIUS auth - PAP, CHAP, MS-CHAP ...

You probably met one of these already, either as end user configuring PPPoE connection or your PC or as an administrator in your ISP. Security is big issue and understanding these terms can help you.

There is an important security question when authenticating someone against RADIUS: How does NAS transfers password to RADIUS server? Yes, it is sent using RADIUS packets as we described in previous post, but is it encrypted? Obfuscated? Or as plain text? How hard is to break it?

Here come protocols that encrypt passwords over network:

So, when you are choosing protocol, you must go for latest, powerful, most secured, right? MS-CHAP-V2, right?


Or in more words - it depends of what your possible threats are. Security concerns boil down to two possible scenarios:

  1. Someone taps into your internal network, somewhere between your RADIUS server and NAS, sniffs your packets, extract passwords using lot of CPU cycles. (keep in mind that security from clients computer to NAS is covered by different set of protocols and encryption, like WEP on WiFi network, so it is not relevant for this topic.)*

  2. Someone breaks into your RADIUS server and get hold of your database.

This changes perspective a bit. Let us check protocols again, this time from the point of how the password is stored in database:

Seems that "weakest" protocols "weakness" is actually a strength in some cases.

So now is question what is more likely to happen to your setup. For someone to hack your network it takes lot of time, infrastructure and internal work. It exposes single passwords as they are used, so it takes even more time to collect lot of data. Hacking database, on the other hand, is fairly common scenario that can expose all of your passwords in matter of minutes.

So take your pick what is more secure.

BlissRADIUS Embedded™ 1.2 is out! It brings many performance and stability enhancements.
BlissRADIUS Embedded™ 1.0 is out! This is important milestone that marks more than a year of successful production use. 1.0 is backward compatible with 0.x and brings incremental improvements and bug fixes.
BlissRADIUS Embedded™ 0.9 brings integration with Blesta billing. There is also a new "local" standalone mode to run program without third-party billing. Manual has been updated accordingly.
Website is having problems and access is limited for last several days. We are working on solution. Things should be back to normal in a day or two.
We apologize for inconvenience.