Ppp link phases – H3C Technologies H3C SecPath F1000-E User Manual

112

Different from CHAP, MS-CHAP-V2 is enabled by negotiating CHAP Algorithm 0x81 in LCP option 3,

Authentication Protocol, provides mutual authentication between peers by piggybacking a peer
challenge on the Response packet and an authenticator response on the Acknowledge packet, and

supports the authentication retry and password changing mechanisms.
MS-CHAP-V2 authentication operates in the following workflow:

1.

The authenticator initiates an authentication by sending a randomly-generated packet (Challenge)
to the authenticatee.

2.

When the authenticatee receives the authentication request, it encrypts the Challenge packet, its

own randomly-generated packet (Peer-Challenge), its own username, and password by using the
0x81 algorithm, and then sends the encrypted packet and username to the authenticator

(Response).

3.

When receiving the Response packet, the authenticator encrypts the authenticatee’s
Peer-Challenge packet, the Challenge packet, and authenticatee’s username and password by

using the 0x81 algorithm. The authenticator compares the encrypted packet with the one received
from the authenticatee, and returns an Acknowledge or Not Acknowledge packet depending on

the comparison result.

{

If the authentication succeeds, the Acknowledge packet carries the encrypted packet from the
authenticatee for piggybacking authentication. The encrypted packet is generated by using the

0x81 algorithm, with the authenticatee’s username and password, the encrypted packet

received from the authenticatee, the Peer-Challenge packet, and the Challenge packet as the
parameters.

{

If the authentication fails, the Not Acknowledge packet carries error code, retry flag, and new
randomly-generated packet (Challenge).

4.

When the authenticatee receives an Acknowledge packet, it encrypts a packet by using the 0x81
algorithm, with its own username and password, the Challenge packet, Peer-Challenge packet,

and the encrypted packet sent to the authenticator as the parameters. The authenticatee compares

the encrypted packet with the one received from the authenticator. If they match each other, the
authentication succeeds. If not, the link is disconnected.

5.

When the authenticatee receives a Not Acknowledge packet from the authenticator:

{

If the error in the packet is due to password expiration, the authenticatee encrypts a packet by
using the 0x81 algorithm, with a new password, the Challenge packet, Peer-Challenge packet,

and its own username as the parameters, and sends the encrypted packet and new password

after encryption (change password) to the authenticator. The authenticator re-authenticates the

authenticatee by using the new password.

{

If the R flag in the Not Acknowledge packet is 1, the authenticatee encrypts a packet by using
the 0x81 algorithm, with the Challenge packet, Peer-Challenge packet, its own username and

password as the parameters, and sends the encrypted packet and its own username to the

authenticator. The authenticator re-authenticates the authenticatee by using the encrypted

packet. If the R flag in the Not Acknowledge packet is 0, the link is disconnected. The

authenticator allows the authenticatee to retry for three times.

PPP link phases

Figure 61

illustrates the PPP link phases.

1.

A PPP link is in the Establish phase when it is about to be established. In this phase, LCP negotiation
is performed, where LCP-related settings are determined, including operating mode (SP or MP), the

authentication mode, and the Maximum Transmission Unit (MTU). If the negotiation is successful,

the link enters the Opened state, indicating that the underlying layer link has been established.