RADIUS Authentication Protocols

Table of contents
  1. 1. FIPS Compliance
  2. 2. PAP
  3. 3. CHAP
  4. 4. MS-CHAPv2

FIPS Compliance

If you enforce FIPS compliance on your systems, there is currently no supported authentication protocol for communicating with a RADIUS server. PAP and CHAP use the MD5 algorithm to encode their responses, and one step in the construction of the MS-CHAPv2 response requires using the MD4 algorithm to match how NT systems hash their passwords. Neither of these algorithms are permitted by FIPS-compliant mode and Password Server will not let you enable RADIUS if FIPS-compliant mode is enabled.

PAP

https://tools.ietf.org/html/rfc1334#section-2
PAP, or Password Authentication Protocol, is the least secure option available for RADIUS. RADIUS servers expect any password sent via PAP to be encrypted in a particular way that is not considered secure.

CHAP

https://tools.ietf.org/html/rfc1334#section-3
CHAP, or Challenge-Handshake Authentication Protocol, is also considered insecure. It constructs the message for the server using an MD5 hash, the security of which has been severely compromised by various attacks:
https://en.wikipedia.org/wiki/MD5#Security
It is, however, more secure than PAP and is the recommended option that is guaranteed to be supported by all RADIUS servers.

MS-CHAPv2

https://tools.ietf.org/html/rfc2759
MS-CHAPv2 is the most secure option available for Password Server to use in communications with RADIUS and is the recommended protocol if your server supports it. Despite this, it is still vulnerable to attacks in some environments:
https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
https://technet.microsoft.com/library/security/2743314
 

Tag page
You must login to post a comment.