Ms-chap authentication, Ms-chap-v2 – H3C Technologies H3C SecPath F1000-E User Manual

Page 136

Advertising
background image

111

Figure 60 CHAP authentication

MS-CHAP authentication

MS-CHAP is a three-way handshake authentication protocol using cipher text password.
Different from CHAP, MS-CHAP is enabled by negotiating CHAP Algorithm 0x80 in LCP option 3.

Authentication Protocol, and MS-CHAP provides the authenticator-controlled authentication retry
mechanism.
MS-CHAP authentication operates in the following workflow:

1.

The authenticator initiates an authentication by sending a randomly-generated packet (Challenge)
to the authenticatee.

2.

When the authenticatee receives the authentication request, it encrypts the packet and its own
password by using the 0x80 algorithm, and then sends the encrypted packet and its own

username to the authenticator (Response).

3.

When receiving the Response packet, the authenticator searches the local user list for the
password of the username carried in the Response packet, encrypts the packet and the

authenticatee’s password by using the 0x80 algorithm, with the Challenge packet and the

password as the parameters, compares the encrypted packet with the one received from the

authenticatee, and returns an Acknowledge or Not Acknowledge packet depending on the

comparison result.

{

If the authentication succeeds, the Acknowledge packet carries the greeting information.

{

If the authentication fails, the Not Acknowledge packet carries errors, retry flag, and new
randomly-generated packet (Challenge).

4.

When the authenticatee receives an Acknowledge packet, the authentication succeeds.

5.

When the authenticatee receives a Not Acknowledge packet that carries the retry (R) flag set to 1,
the authenticatee encrypts the Challenge packet and its own password by using the 0x80

algorithm, and sends the encrypted packet and its own username to the authenticator. The

authenticator re-authenticates the Response packet. If the R flag in the packet is 0, the

authentication fails and the authenticator disconnects from the authenticatee. The authenticator
allows the authenticatee to retry for three times.

MS-CHAP-V2

MS-CHAP-V2 is a three-way handshake authentication protocol using cipher text password.

Advertising
This manual is related to the following products:

H3C SecPath F5000-A5 Firewall, H3C SecPath F1000-A-EI, H3C SecPath F1000-E-SI, H3C SecPath F1000-S-AI, H3C SecPath F5000-S Firewall, H3C SecPath F5000-C Firewall, H3C SecPath F100-C-SI, H3C SecPath F1000-C-SI, H3C SecPath F100-A-SI, H3C SecBlade FW Cards, H3C SecBlade FW Enhanced Cards, H3C SecPath U200-A U200-M U200-S, H3C SecPath U200-CA U200-CM U200-CS, H3C SecBlade LB Cards, H3C SecPath L1000-A Load Balancer

Popular Brands
Popular manuals