Attribute Number






Allowed in


Prohibited in

Access-Accept, Access-Reject, Access-Challenge

Presence in Packet

Required, unless User-Password is present

Maximum Iterations


CHAP-Password indicates to the RADIUS client gear that CHAP, instead of PAP, is going to be used for the transaction.

Of particular interest regarding CHAP-Password is the structure of the attribute, which is different than most of the other attributes. The CHAP-Password attribute is structured much like the vendor-specific AVP passed within the standard Vendor-Specific attribute, number 26. This abnormal structure is due to the additional data collected in a CHAP transaction that needs to be passed between the two parties. Let’s take a closer look.

The CHAP identifier, a one-octet value that the RADIUS client gear assigned, is placed in the first octet of the attribute’s value field. The response, effectively the CHAP password, completes the rest of the value field.

The RADIUS RFC requires that the User-Password and the CHAP-Password attributes be mutually exclusive, but one or the other is required in any transaction at all times.

How does the CHAP-Password attribute affect the RADIUS transaction? The sequence is this: a dial-up client connects to an ISP’s NAS gear, which in turn issues a CHAP ID and sends it back to the client. The client generates a response to this challenge and places the response in the password ...

Get RADIUS now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.