Ppp link phases – H3C Technologies H3C SecPath F1000-E User Manual
Page 137
112
Different from CHAP, MS-CHAP-V2 is enabled by negotiating CHAP Algorithm 0x81 in LCP option 3,
Authentication Protocol, provides mutual authentication between peers by piggybacking a peer
challenge on the Response packet and an authenticator response on the Acknowledge packet, and
supports the authentication retry and password changing mechanisms.
MS-CHAP-V2 authentication operates in the following workflow:
1.
The authenticator initiates an authentication by sending a randomly-generated packet (Challenge)
to the authenticatee.
2.
When the authenticatee receives the authentication request, it encrypts the Challenge packet, its
own randomly-generated packet (Peer-Challenge), its own username, and password by using the
0x81 algorithm, and then sends the encrypted packet and username to the authenticator
(Response).
3.
When receiving the Response packet, the authenticator encrypts the authenticatee’s
Peer-Challenge packet, the Challenge packet, and authenticatee’s username and password by
using the 0x81 algorithm. The authenticator compares the encrypted packet with the one received
from the authenticatee, and returns an Acknowledge or Not Acknowledge packet depending on
the comparison result.
{
If the authentication succeeds, the Acknowledge packet carries the encrypted packet from the
authenticatee for piggybacking authentication. The encrypted packet is generated by using the
0x81 algorithm, with the authenticatee’s username and password, the encrypted packet
received from the authenticatee, the Peer-Challenge packet, and the Challenge packet as the
parameters.
{
If the authentication fails, the Not Acknowledge packet carries error code, retry flag, and new
randomly-generated packet (Challenge).
4.
When the authenticatee receives an Acknowledge packet, it encrypts a packet by using the 0x81
algorithm, with its own username and password, the Challenge packet, Peer-Challenge packet,
and the encrypted packet sent to the authenticator as the parameters. The authenticatee compares
the encrypted packet with the one received from the authenticator. If they match each other, the
authentication succeeds. If not, the link is disconnected.
5.
When the authenticatee receives a Not Acknowledge packet from the authenticator:
{
If the error in the packet is due to password expiration, the authenticatee encrypts a packet by
using the 0x81 algorithm, with a new password, the Challenge packet, Peer-Challenge packet,
and its own username as the parameters, and sends the encrypted packet and new password
after encryption (change password) to the authenticator. The authenticator re-authenticates the
authenticatee by using the new password.
{
If the R flag in the Not Acknowledge packet is 1, the authenticatee encrypts a packet by using
the 0x81 algorithm, with the Challenge packet, Peer-Challenge packet, its own username and
password as the parameters, and sends the encrypted packet and its own username to the
authenticator. The authenticator re-authenticates the authenticatee by using the encrypted
packet. If the R flag in the Not Acknowledge packet is 0, the link is disconnected. The
authenticator allows the authenticatee to retry for three times.
PPP link phases
illustrates the PPP link phases.
1.
A PPP link is in the Establish phase when it is about to be established. In this phase, LCP negotiation
is performed, where LCP-related settings are determined, including operating mode (SP or MP), the
authentication mode, and the Maximum Transmission Unit (MTU). If the negotiation is successful,
the link enters the Opened state, indicating that the underlying layer link has been established.