Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
CHAP Authentication

CHAP Authentication

Latest reply: Jan 16, 2022 07:06:59 807 10 10 0 0
View the author 1#

CHAP Authentication Process

The Challenge Handshake Authentication Protocol (CHAP) is a three-way handshake authentication protocol. CHAP transmits only user names but not passwords, so it is more secure than PAP.

CHAP authentication is performed during initial link establishment and can be repeated anytime after a link has been established.

Figure 1 shows the CHAP authentication process.

Figure 1 CHAP authentication process

1

Two CHAP authentication modes are available: unidirectional CHAP authentication and bidirectional CHAP authentication. In unidirectional CHAP authentication, a device on one end functions as the authenticating device, and a device on the other end functions as the authenticated device. In bidirectional CHAP authentication, each device functions as both the authenticating device and authenticated device. In practice, only unidirectional CHAP authentication is used.

Unidirectional CHAP authentication is applicable to two scenarios: the authenticating device is configured with a user name and the authenticating device is not configured with a user name. It is recommended that the authenticating device be configured with a user name.

  • When the authenticating device is configured with      a user name:

    • The authenticating device initiates an       authentication request by sending a Challenge packet that carries the       local user name to the authenticated device.

    • After receiving the Challenge packet, the       authenticated device checks whether the ppp chap password command       is used on a local interface. If this command is used, the authenticated       device encrypts the Challenge packet with the packet ID and password       configured by the command by using the Message Digest 5 (MD5) algorithm       to generate a cipher text and then sends a Response packet carrying the       cipher text and local user name to the authenticating device. If the ppp       chap password command is not configured, the authenticated device       searches the local user table for the password matching the user name of       the authenticating device in the received Challenge packet, encrypts the       Challenge packet with the packet ID and user password by using the MD5       algorithm to generate a cipher text. It then sends a Response packet       carrying the cipher text and local user name to the authenticating       device.

    • The authenticating device encrypts the Challenge       packet with the saved password of the authenticated device by using the       MD5 algorithm to generate a cipher text. It then compares this cipher       text with that carried in the received Response packet, and returns a       response based on the result of the check.

  • When the authenticating device is not configured      with a user name:

    • The authenticating device initiates an       authentication request by sending a Challenge packet.

    • After receiving the Challenge packet, the       authenticated device encrypts the Challenge packet with the packet ID and       password configured by the ppp chap password command by using the       Message Digest 5 (MD5) algorithm to generate a cipher text. It then sends       a Response packet carrying the cipher text and local user name to the       authenticating device.

    • The authenticating device encrypts the Challenge       packet with the saved password of the authenticated device by using the       MD5 algorithm to generate a cipher text. It then compares this cipher       text with that carried in the received Response packet, and returns a       response based on the result of the check.

CHAP Packet Format

  • Configuration option format

Figure 2 shows the CHAP configuration option format.

Figure 2 CHAP configuration option format

2

Table 1 shows the fields of a CHAP configuration option.

Table 1 Fields of a CHAP configuration option

Field

Length in Bytes

Description

Type

1

The value 0x03 indicates an authentication protocol packet. For common   negotiation options, see Table 3.

Length

1

The value is always 5, indicating that a configuration option is 5 bytes   in length.

Authentication-Protocol

2

The value 0xC223 indicates the CHAP protocol. For common protocol codes,   see Table 1.

Algorithm

1

The value specifies the encryption algorithm to be used:

o      0 to 4: reserved

o      5: MD5 algorithm


  • CHAP packet format

A CHAP packet is encapsulated in the Information field of a PPP data link layer frame with the Protocol field value of 0xC223, which indicates the CHAP protocol.

Figure 3 shows the CHAP packet format.

Figure 3 CHAP packet format

3

Table 2 shows the fields of a CHAP packet.

Table 2 Fields of a CHAP packet

Field

Length in Bytes

Description

Code

1

The Code field identifies the type of a CHAP packet:

o      1: Challenge packet

o      2: Response packet

o      3: Success packet

o      4: Failure packet

Identifier

1

The Identifier field helps match challenges and responses.

Length

2

The Length field indicates the length of a CHAP packet including the   Code, Identifier, Length, and Data fields. Bytes outside the range of the   Length field are treated as data link layer padding and are discarded.

Data

Zero or more

The format of the Data field is determined by the Code field.


  • Challenge and Response packet      format

A Challenge packet is used to initiate CHAP authentication. The authenticating device must transmit a Challenge packet with the Code field value 1. Additional Challenge packets can be sent only after a valid Response packet is received or an optional retry counter expires.

In the Authentication phase, the authenticated device waits for the authenticating device to send a Challenge packet. After a Challenge packet is received, the authenticated device transmits a Response packet with the Code field value 2.

When a Response packet is received, the authenticating device compares the returned value with the local calculated value. Based on results of the comparison, the authenticating device sends a Success or Failure packet.

Figure 4 shows the Challenge and Response packet format.

Figure 4 Challenge and Response packet format

4

Table 3 shows the fields of a Challenge or Response packet.

Table 3 Fields of a Challenge or Response packet

Field

Length in Bytes

Description

Code

1

The Code field identifies the type of a CHAP packet:

o      1: Challenge packet

o      2: Response packet

Identifier

1

The Identifier field indicates the relationship between Challenge packets   and Response packets.

Length

2

The Length field specifies the total length of a Challenge or Response   packet.

Value-size

1

The Value-size field specifies the length of the Value field.

Value

One or more

The Value field of a Challenge packet is a variable stream of bytes. The   Value field of a Response packet is the one-way hash value calculated over a   stream of bytes.

Name

One or more

The Name field length is determined by the Length field.


  • Success and Failure packet      format

If the value received in a Response packet is equal to the calculated value, the authenticating device transmits a Success packet with the Code field value 3.

If the value received in a Response packet is different from the calculated value, the authenticating device transmits a Failure packet with the Code field value 4 and terminates the link.

Figure 5 shows the Success and Failure packet format.

Figure 5 Success and Failure packet format

5

Table 4 shows the fields of a Success or Failure packet.

Table 4 Fields of    a Success or Failure packet

Field

Length in Bytes

Description

Code

1

The Code field identifies the type of a CHAP packet:

o    3: a Success packet

o    4: a Failure packet

Identifier

1

The Identifier field helps   match requests and replies.

Length

2

The Length field specifies   the total length of a Success or Failure packet.

Message

Zero or   more

The Message field length is   determined by the Length field.

 



CHAP

Like (10) Dislike (0) Favorite(0) Share Report
Previous: DNS Architecture
Next: PAP Authentication
(0) (0)
11#
IndianKid
Moderator Author Created Jan 16, 2022 07:06:59

good share about CHAP Authentication, Thanks
View more
  • x
  • convention:
12
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.