Ms-chap authentication, Ms-chap-v2 – H3C Technologies H3C SecPath F1000-E User Manual
Page 136
111
Figure 60 CHAP authentication
MS-CHAP authentication
MS-CHAP is a three-way handshake authentication protocol using cipher text password.
Different from CHAP, MS-CHAP is enabled by negotiating CHAP Algorithm 0x80 in LCP option 3.
Authentication Protocol, and MS-CHAP provides the authenticator-controlled authentication retry
mechanism.
MS-CHAP authentication operates in the following workflow:
1.
The authenticator initiates an authentication by sending a randomly-generated packet (Challenge)
to the authenticatee.
2.
When the authenticatee receives the authentication request, it encrypts the packet and its own
password by using the 0x80 algorithm, and then sends the encrypted packet and its own
username to the authenticator (Response).
3.
When receiving the Response packet, the authenticator searches the local user list for the
password of the username carried in the Response packet, encrypts the packet and the
authenticatee’s password by using the 0x80 algorithm, with the Challenge packet and the
password as the parameters, compares the encrypted packet with the one received from the
authenticatee, and returns an Acknowledge or Not Acknowledge packet depending on the
comparison result.
{
If the authentication succeeds, the Acknowledge packet carries the greeting information.
{
If the authentication fails, the Not Acknowledge packet carries errors, retry flag, and new
randomly-generated packet (Challenge).
4.
When the authenticatee receives an Acknowledge packet, the authentication succeeds.
5.
When the authenticatee receives a Not Acknowledge packet that carries the retry (R) flag set to 1,
the authenticatee encrypts the Challenge packet and its own password by using the 0x80
algorithm, and sends the encrypted packet and its own username to the authenticator. The
authenticator re-authenticates the Response packet. If the R flag in the packet is 0, the
authentication fails and the authenticator disconnects from the authenticatee. The authenticator
allows the authenticatee to retry for three times.
MS-CHAP-V2
MS-CHAP-V2 is a three-way handshake authentication protocol using cipher text password.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS H3C SecBlade LB Cards H3C SecPath L1000-A Load Balancer