FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
This article explains that in any scenario that requires the FortiAuthenticator to renew/change the password, CHAP and PAP schemes are not supported.
Scope
FortiAuthenticator.
Solution
According to the RFC of CHAP and PAP, they do not support the 'password change' option. This is by design that the protocol itself does not support password change/renewal.
Compared with MS-CHAP-v2, it is stated under sections 9.1.6 and 9.1.7 that it has the option for password change/renewal.
Hence, in general, if any radius client is required to perform password renewal/change with the FortiAuthenticator, MS-CHAP-v2 should always be the primary selection unless there is a newer protocol in the future which supports this feature.
For more information, refer to the following RFC documentations:
