Auth-Type is CHAP, passwords can be exposed in clear in freeradius logs

[peppelinux]

Hi Rob,
Is there any possibility to introduce an mschap auth type instead of a CHAP method as actually it does.
If a sysadmin configures a freeradius to log all the auth good_pass and bad_pass he could be also read all the password in clear, in /var/log/freeradius/radius.log.

The question could be also asked this way:
Can pyrad client stablish an auth session in mschap instead of chap?

[peppelinux]

The problem is in pyrad implementation, not django-radius. I also asked to pyrad author about this issue, as enanchment request as it actually is:

pyradius/pyrad#40

[peppelinux]

With the examples in pyprotosim I implemented a pure eapol_test python client program, downloadable here: https://github.com/peppelinux/pyEapol_test

I'll ask to pyrad author if there will be some possibility to introduce PEAP auth-type into pyrad, starting on this client or something similar. With a radius auth_backend that permits only PEAP auth-type we would be very strong on the security side.

[robgolding]

Hey @peppelinux! If you're able to get PEAP auth working with pyrad, then you could create a subclass of RADIUSBackend to use it. Unfortunately until then there's not much we can do on this end. I'm closing this issue now, but please feel free to open a PR in future once the upstream changes have been made. And thanks for the interesting in the project!