Ms-chap authentication, Ms-chap-v2 – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

94

MS-CHAP authentication

MS-CHAP is a three-way handshake authentication protocol using cipher text password.
Different from CHAP, MS-CHAP is enabled by negotiating CHAP Algorithm 0x80 in LCP option 3.
Authentication Protocol, and MS-CHAP provides the authenticator-controlled authentication retry

mechanism.
MS-CHAP authentication operates in the following workflow.

1.

The authenticator initiates an authentication by sending a randomly-generated packet (Challenge)
to the authenticatee.

2.

When the authenticatee receives the authentication request, it encrypts the packet and its own

password by using the 0x80 algorithm, and then sends the encrypted packet and its own
username to the authenticator (Response).

3.

When receiving the Response packet, the authenticator searches the local user list for the
password of the username carried in the Response packet, encrypts the packet and the

authenticatee's password by using the 0x80 algorithm, with the Challenge packet and the

password as the parameters, compares the encrypted packet with the one received from the
authenticatee, and returns an Acknowledge or Not Acknowledge packet depending on the

comparison result.

{

If the authentication succeeds, the Acknowledge packet carries the greeting information.

{

If the authentication fails, the Not Acknowledge packet carries errors, retry flag, and new
randomly-generated packet (Challenge).

4.

When the authenticatee receives an Acknowledge packet, the authentication succeeds.

5.

When the authenticatee receives a Not Acknowledge packet that carries the retry (R) flag set to 1,
the authenticatee encrypts the Challenge packet and its own password by using the 0x80

algorithm, and sends the encrypted packet and its own username to the authenticator. The

authenticator re-authenticates the Response packet. If the R flag in the packet is 0, the
authentication fails and the authenticator disconnects from the authenticatee. The authenticator

allows the authenticatee to retry for three times.

MS-CHAP-V2

MS-CHAP-V2 is a three-way handshake authentication protocol using cipher text password.
Different from CHAP, MS-CHAP-V2 is enabled by negotiating CHAP Algorithm 0x81 in LCP option 3,
Authentication Protocol, provides mutual authentication between peers by piggybacking a peer

challenge on the Response packet and an authenticator response on the Acknowledge packet, and

supports the authentication retry and password changing mechanisms.
MS-CHAP-V2 authentication operates in the following workflow.

1.

The authenticator initiates an authentication by sending a randomly-generated packet (Challenge)
to the authenticatee.

2.

When the authenticatee receives the authentication request, it encrypts the Challenge packet, its
own randomly-generated packet (Peer-Challenge), its own username, and password by using the

0x81 algorithm, and then sends the encrypted packet and username to the authenticator

(Response).

3.

When receiving the Response packet, the authenticator encrypts the authenticatee's
Peer-Challenge packet, the Challenge packet, and authenticatee's username and password by
using the 0x81 algorithm. The authenticator compares the encrypted packet with the one received

from the authenticatee, and returns an Acknowledge or Not Acknowledge packet depending on

the comparison result.