Technical Tip: Understanding why Radius password renewal or password change does not support CHAP or PAP
| Description | This article explains that in any scenario that requires the FortiAuthenticator to renew/change the password, CHAP and PAP schemes are not supported. |
| Scope | FortiAuthenticator. |
| Solution | According to the RFC of CHAP and PAP, they do not support the 'password change' option. This is by design that the protocol itself does not support password change/renewal.
Compared with MS-CHAP-v2, it is stated under sections 9.1.6 and 9.1.7 that it has the option for password change/renewal.
Hence, in general, if any radius client is required to perform password renewal/change with the FortiAuthenticator, MS-CHAP-v2 should always be the primary selection unless there is a newer protocol in the future which supports this feature.
For more information, refer to the following RFC documentations:
|