When you configure the firewall to use RADIUS server authentication
for a particular service (such as Captive Portal), it first tries Challenge-Handshake
Authentication Protocol (CHAP) and falls back to Password Authentication
Protocol (PAP) if the server rejects the CHAP request. This will
happen if, for example, the server doesn’t support CHAP or isn’t
configured for CHAP. CHAP is the preferred protocol because it is
more secure than PAP. After falling back to PAP for a particular
RADIUS server, the firewall uses only PAP in subsequent attempts
to authenticate to that server. The firewall records a fall back
to PAP as a medium severity event in the System logs. If you modify
any fields in the RADIUS server profile and then commit the changes,
the firewall reverts to first trying CHAP for that server.
If you want the firewall to always use a specific protocol for
authenticating to the RADIUS server, enter the following operational
CLI command (the
option reverts to the
default automatic selection):
set authentication radius-auth-type [ auto
| chap | pap ]
When configuring a RADIUS server for CHAP,
you must define user accounts with reversibly encrypted passwords.
Otherwise, CHAP authentication will fail.