Using Challenge-Response with mod_auth_radius
The mod_auth_radius module
is
completely compliant
with the challenge-response authentication method.
However, end-user browser support is relatively limited: Netscape 3.x
and 4.x and others support it well, but unfortunately, the browser
with the largest hunk of market share, Internet Explorer,
doesn’t properly follow the RFC and, therefore,
doesn’t function correctly with challenge-response.
You should certainly consider this caveat in determining whether to
use challenge-response.
For supported browsers, the key to challenge-response is that the RADIUS cookies are set upon any authentication attempt. You can enter gibberish for your password and try to authenticate into a secured area, but while you are denied access because the password was incorrect, the cookie is being set with the RADIUS state attribute. The module also modifies Basic-Authentication-Realm. You then receive another prompt to try again, typically with a challenge. Once you enter the correct password (or the correct response to the challenge), all is well.