Ms-chap authentication – H3C Technologies H3C SR8800 User Manual

19

Two types of CHAP authentication exist: one-way CHAP authentication and two-way CHAP

authentication. By one-way CHAP authentication, one side of the link acts as the authenticator and the
other acts as the supplicant. By two-way authentication, each side serves as both the authenticator and

the supplicant. Normally, one-way CHAP authentication is used.
In one-way CHAP authentication, the authenticator may or may not be configured with a username. It is

recommended that you configure a username for the authenticator, which makes it easier to identify the
authenticator.
If the authenticator is configured with a username, CHAP authentication is performed as follows:

1.

The authenticator initiates an authentication by sending a randomly-generated packet (Challenge)
to the supplicant. The packet carries the local username with it in addition.

2.

When the supplicant receives the authentication request, it searches the local user list for the
password of the username carried in the received packet, encrypts the packet using the MD5

algorithm, with the packet ID and the password as the parameters, and then sends the encrypted
packet and the local username to the authenticator (Response).

3.

The authenticator encrypts the original randomly-generated packet using the MD5 algorithm, with
the password of the supplicant it maintains as the parameter, compares the encrypted packet with

the one received from the supplicant, and returns an Acknowledge or Not Acknowledge packet

depending on the comparison result.

If the authenticator is not configured with a username, the CHAP authentication is performed as follows:

4.

The authenticator initiates an authentication by sending a randomly-generated packet (Challenge)
to the supplicant.

5.

When the supplicant receives the authentication request, it encrypts the packet using the MD5
algorithm, with the packet ID and the default CHAP password as the parameters, and then sends

the encrypted packet and its own username to the authenticator (Response).

6.

The authenticator encrypts the original randomly-generated packet using the MD5 algorithm, with
the password of the supplicant it maintains as the parameter, compares the encrypted packet with

the one received from the supplicant, and returns an Acknowledge or Not Acknowledge packet
depending on the comparison result.

Figure 8 CHAP Authentication

MS-CHAP authentication

MS-CHAP is a three-way handshake authentication protocol using cipher text password.