02. RADIUS auth - PAP, CHAP, MS-CHAP ...

You probably met one of these already, either as end user configuring PPPoE connection or your PC or as an administrator in your ISP. Security is big issue and understanding these terms can help you.

There is an important security question when authenticating someone against RADIUS: How does NAS transfers password to RADIUS server? Yes, it is sent using RADIUS packets as we described in previous post, but is it encrypted? Obfuscated? Or as plain text? How hard is to break it?

Here come protocols that encrypt passwords over network:

So, when you are choosing protocol, you must go for latest, powerful, most secured, right? MS-CHAP-V2, right?


Or in more words - it depends of what your possible threats are. Security concerns boil down to two possible scenarios:

  1. Someone taps into your internal network, somewhere between your RADIUS server and NAS, sniffs your packets, extract passwords using lot of CPU cycles. (keep in mind that security from clients computer to NAS is covered by different set of protocols and encryption, like WEP on WiFi network, so it is not relevant for this topic.)*

  2. Someone breaks into your RADIUS server and get hold of your database.

This changes perspective a bit. Let us check protocols again, this time from the point of how the password is stored in database:

Seems that "weakest" protocols "weakness" is actually a strength in some cases.

So now is question what is more likely to happen to your setup. For someone to hack your network it takes lot of time, infrastructure and internal work. It exposes single passwords as they are used, so it takes even more time to collect lot of data. Hacking database, on the other hand, is fairly common scenario that can expose all of your passwords in matter of minutes.

So take your pick what is more secure.

Volume discount for monthly BlissRADIUS™ licenses is available now.
BlissRADIUS Embedded™ 1.11 is released. This version will focus on incremental security and performance improvements.
BlissRADIUS Embedded™ 1.10 is out with incremental improvements.
BlissRADIUS Embedded™ 1.9 brings new features and performance improvements.
BlissRADIUS Embedded™ 1.8 is out with performance enhancements.
BlissRADIUS Embedded™ 1.7 maintenance release is out.
BlissRADIUS Embedded™ 1.6 is out with incremental improvements and new usability features.