Authentication in FreeRADIUS
Authentication protocols: There are three popular authentication protocols, namely, PAP, CHAP, and MS-CHAP. PAP is the least secure in certain situations but also the most versatile.
PAP was one of the first protocols used to facilitate the supply of a username and password when making point-to-point connections. With PAP the NAS takes the PAP ID and password and sends them in an Access-Request packet as the User-Name and User-Password . PAP is simpler compared to CHAP and MS-CHAP because the NAS simply hands the RADIUS server a username and password, which are then checked. This username and password come directly from the user through the NAS to the server in a single action.
CHAP stands for Challenge-Handshake Authentication Protocol and was designed as an improvement to PAP. It prevents from transmitting a cleartext password. One major drawback of CHAP is that although the password is transmitted encrypted, the password source has to be in clear text for FreeRADIUS to perform password verification.
MS-CHAP is a challenge-handshake authentication protocol created by Microsoft. There are two versions, MS-CHAP version 1 and MS-CHAP version 2. The Value field is sub-formatted to contain MS-CHAP-specific fields.
One of the fields ( NT-Response ) contains the username and password in a very specific encrypted format.
How FreeRADIUS handles Access-Requests: When an Access-Request reaches the FreeRADIUS server the authorize section defined in the virtual server determines which authentication method will be used. The value of Auth-Type indicates which authentication section will be used.
Password storing: Passwords do not need to be stored in clear text and it is better to store them in a hashed format. There are, however, limitations to the kind of authentication protocols that can be used when the passwords are stored as a hash.