Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
kwcheng__FTNT
Staff
Staff

Created on ‎07-23-2024 11:01 PM

Article Id 327650

Technical Tip: Understanding why Radius password renewal or password change does not support CHAP or PAP

Description This article explains that in any scenario that requires the FortiAuthenticator to renew/change the password, CHAP and PAP schemes are not supported.
Scope FortiAuthenticator.
Solution

According to the RFC of CHAP and PAP, they do not support the 'password change' option. This is by design that the protocol itself does not support password change/renewal.

 

Compared with MS-CHAP-v2, it is stated under sections 9.1.6 and 9.1.7 that it has the option for password change/renewal.

 

Hence, in general, if any radius client is required to perform password renewal/change with the FortiAuthenticator, MS-CHAP-v2 should always be the primary selection unless there is a newer protocol in the future which supports this feature.

 

For more information,  refer to the following RFC documentations:
200
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.