Ms-chap authentication, Ms-chap-v2 – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 104
94
MS-CHAP authentication
MS-CHAP is a three-way handshake authentication protocol using cipher text password.
Different from CHAP, MS-CHAP is enabled by negotiating CHAP Algorithm 0x80 in LCP option 3.
Authentication Protocol, and MS-CHAP provides the authenticator-controlled authentication retry
mechanism.
MS-CHAP authentication operates in the following workflow.
1.
The authenticator initiates an authentication by sending a randomly-generated packet (Challenge)
to the authenticatee.
2.
When the authenticatee receives the authentication request, it encrypts the packet and its own
password by using the 0x80 algorithm, and then sends the encrypted packet and its own
username to the authenticator (Response).
3.
When receiving the Response packet, the authenticator searches the local user list for the
password of the username carried in the Response packet, encrypts the packet and the
authenticatee's password by using the 0x80 algorithm, with the Challenge packet and the
password as the parameters, compares the encrypted packet with the one received from the
authenticatee, and returns an Acknowledge or Not Acknowledge packet depending on the
comparison result.
{
If the authentication succeeds, the Acknowledge packet carries the greeting information.
{
If the authentication fails, the Not Acknowledge packet carries errors, retry flag, and new
randomly-generated packet (Challenge).
4.
When the authenticatee receives an Acknowledge packet, the authentication succeeds.
5.
When the authenticatee receives a Not Acknowledge packet that carries the retry (R) flag set to 1,
the authenticatee encrypts the Challenge packet and its own password by using the 0x80
algorithm, and sends the encrypted packet and its own username to the authenticator. The
authenticator re-authenticates the Response packet. If the R flag in the packet is 0, the
authentication fails and the authenticator disconnects from the authenticatee. The authenticator
allows the authenticatee to retry for three times.
MS-CHAP-V2
MS-CHAP-V2 is a three-way handshake authentication protocol using cipher text password.
Different from CHAP, MS-CHAP-V2 is enabled by negotiating CHAP Algorithm 0x81 in LCP option 3,
Authentication Protocol, provides mutual authentication between peers by piggybacking a peer
challenge on the Response packet and an authenticator response on the Acknowledge packet, and
supports the authentication retry and password changing mechanisms.
MS-CHAP-V2 authentication operates in the following workflow.
1.
The authenticator initiates an authentication by sending a randomly-generated packet (Challenge)
to the authenticatee.
2.
When the authenticatee receives the authentication request, it encrypts the Challenge packet, its
own randomly-generated packet (Peer-Challenge), its own username, and password by using the
0x81 algorithm, and then sends the encrypted packet and username to the authenticator
(Response).
3.
When receiving the Response packet, the authenticator encrypts the authenticatee's
Peer-Challenge packet, the Challenge packet, and authenticatee's username and password by
using the 0x81 algorithm. The authenticator compares the encrypted packet with the one received
from the authenticatee, and returns an Acknowledge or Not Acknowledge packet depending on
the comparison result.