Ms-chap-v2 – H3C Technologies H3C SR8800 User Manual
Page 28
20
Different from CHAP, MS-CHAP is enabled by negotiating CHAP Algorithm 0x80 in LCP option 3.
Authentication Protocol, and MS-CHAP provides the authenticator-controlled authentication retry
mechanism.
MS-CHAP authentication operates in the following workflow.
1.
The authenticator initiates an authentication by sending a randomly-generated packet (Challenge)
to the supplicant.
2.
When the supplicant receives the authentication request, it encrypts the packet and its own
password by using the 0x80 algorithm, and then sends the encrypted packet and its own
username to the authenticator (Response).
3.
When receiving the Response packet, the authenticator searches the local user list for the
password of the username carried in the Response packet, encrypts the packet and the
supplicant’s password by using the 0x80 algorithm, with the Challenge packet and the password
as the parameters, compares the encrypted packet with the one received from the supplicant, and
returns an Acknowledge or Not Acknowledge packet depending on the comparison result.
{
If the authentication succeeds, the Acknowledge packet carries the greeting information.
{
If the authentication fails, the Not Acknowledge packet carries errors, retry flag, and new
randomly-generated packet (Challenge).
4.
When the supplicant receives an Acknowledge packet, the authentication succeeds.
5.
When the supplicant receives a Not Acknowledge packet that carries the retry (R) flag set to 1, the
supplicant encrypts the Challenge packet and its own password by using the 0x80 algorithm, and
sends the encrypted packet and its own username to the authenticator. The authenticator
re-authenticates the Response packet. If the R flag in the packet is 0, the authentication fails and the
authenticator disconnects from the supplicant. The authenticator allows the supplicant to retry for
three times.
MS-CHAP-V2
MS-CHAP-V2 is a three-way handshake authentication protocol using cipher text password.
Different from CHAP, MS-CHAP-V2 is enabled by negotiating CHAP Algorithm 0x81 in LCP option 3,
Authentication Protocol, provides mutual authentication between peers by piggybacking a peer
challenge on the Response packet and an authenticator response on the Acknowledge packet, and
supports the authentication retry and password changing mechanisms.
MS-CHAP-V2 authentication operates in the following workflow.
1.
The authenticator initiates an authentication by sending a randomly-generated packet (Challenge)
to the supplicant.
2.
When the supplicant receives the authentication request, it encrypts the Challenge packet, its own
randomly-generated packet (Peer-Challenge), its own username, and password by using the 0x81
algorithm, and then sends the encrypted packet and username to the authenticator (Response).
3.
When receiving the Response packet, the authenticator encrypts the supplicant’s Peer-Challenge
packet, the Challenge packet, and supplicant’s username and password by using the 0x81
algorithm. The authenticator compares the encrypted packet with the one received from the
supplicant, and returns an Acknowledge or Not Acknowledge packet depending on the
comparison result.
{
If the authentication succeeds, the Acknowledge packet carries the encrypted packet from the
supplicant for piggybacking authentication. The encrypted packet is generated by using the
0x81 algorithm, with the supplicant’s username and password, the encrypted packet received
from the supplicant, the Peer-Challenge packet, and the Challenge packet as the parameters.