Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

Password Protocols

During an authentication transaction, password information is transmitted between the NAS and the RADIUS server. This password information originally comes from the user, for example during PPP negotiations between a user and a NAS. Steel-Belted Radius Carrier supports three protocols (PAP, CHAP, and MS-CHAP v2) for receiving the password from the NAS. Steel-Belted Radius Carrier also supports the Extensible Authentication Protocol (EAP).

Table 14 lists supported protocols according to the authentication methods with which each protocol can be used.

Table 14: Authentication Methods and Password Protocols

Method

PAP

CHAP

MS-CHAP v2

LDAP

Yes

Yes, if BindName is used and the password is in clear-text form or is encrypted with enc-md5.

Yes, if the LDAP server can return a clear-text password, or an MD4 hash Unicode format password.

 

 

No, if Bind is used

No, if Bind is used

Local (Native)

Yes

Yes

Yes

Proxy RADIUS

Yes

Yes

Yes

SQL

Yes

Yes, if the password is available in clear-text form in the database or is encrypted with enc-md5.

Yes, if BindName is used and the password is in clear-text form, is encrypted with enc-md5, or is the MD4 hash of the Unicode form of the password.

UNIX User

Yes

No

No

UNIX Group

Yes

No

No

Password Authentication Protocol

When the Password Authentication Protocol (PAP) is used, no encryption is used to send the password to the NAS during the negotiation process between the remote user and the NAS. After the NAS has enough information from the user to create an Access-Request, the NAS encrypts the password (using its RADIUS shared secret) before sending an Access-Request packet to Steel-Belted Radius Carrier.

Upon receiving the Access-Request, Steel-Belted Radius Carrier looks for attributes within the packet that identify the NAS that sent it. Steel-Belted Radius Carrier decrypts the password by using the shared secret configured for the RADIUS client entry associated with the sending NAS.

Ultimately, Steel-Belted Radius Carrier has the password in clear-text form for authentication.

Challenge Handshake Authentication Protocol

The Challenge Handshake Authentication Protocol (CHAP) avoids sending passwords in clear-text over any communication link. Under CHAP, during password negotiations the NAS generates a challenge (a random string) and sends it to the user. The user’s PPP client creates a digest (the password concatenated with the challenge), encrypts the digest using one-way encryption, and sends the digest to the NAS.

The NAS sends this digest as the password in the Access-Request.

Because the encryption is one-way, Steel-Belted Radius Carrier cannot recover the password from the digest. Instead, it performs an identical operation, using the NAS’s challenge value (provided in the Access-Request packet) and its own copy of the user’s password to generate its own digest. If the two digests match, the password is the same.

Steel-Belted Radius Carrier must be able to perform the digest operation to support CHAP. Therefore, it must have access to its own copy of the user’s password. Native User passwords are stored in the Steel-Belted Radius Carrier database. SQL or LDAP BindName authentication retrieves the password by means of a query to the database; the retrieved password can be used to create a digest if it is in clear-text form.

MS-CHAP v2

MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2) is a Microsoft authentication protocol that, like CHAP, avoids sending passwords in clear-text. MS-CHAP v1 is not supported.

Steel-Belted Radius Carrier must be able to perform a digest operation similar to CHAP to support MS-CHAP v2. Therefore, it must have access to its own copy of the user’s password. Native User passwords are stored in the Steel-Belted Radius Carrier database. SQL or LDAP BindName authentication retrieves the password by means of a query to the database; the retrieved password can be used to create a digest if it is in clear-text form.

MS-CHAP v2 communicates users’ requests to change their passwords to a RADIUS server. Steel-Belted Radius Carrier supports this feature, although it must also be supported by whatever application the user is using to log in. For more information about MS-CHAP v2, see RFC 2433, Microsoft PPP CHAP Extensions; RFC 2548, Microsoft Vendor-specific RADIUS Attributes; and RFC 2759, Microsoft PPP CHAP Extensions, Version 2.

Modified: 2017-09-27