1-11
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter1 Overview of Cisco Secure ACS AAA Server Functions and Concepts
Comparing PAP, CHAP, and ARAP
PAP, CHAP, and ARAP are authentication protocols used to encrypt passwords.
However, each protocol provides a different level of security.
PAPUses clear-text passwords (that is, unencrypted passwords) and is the
least sophisticated authentication protocol. If you are using the
WindowsNT/2000 user database to authenticate users, you must use PAP
password encryption or MS-CHAP.
CHAPUses a challenge-response mechanism with one-way encryption on
the response. CHAP enables Cisco Secure ACS to negotiate downward from
the most secure to the least secure encryption mechanism, and it protects
passwords transmitted in the process. CHAP passwords are reusable. If you
are using the CiscoSecure user database for authentication, you can use either
PAP or CHAP. CHAP does not work with the WindowsNT/2000 user
database.
ARAPUses a two-way challenge-response mechanism. The AAA client
challenges the end-user client to authenticate itself, and the end-user client
challenges the AAA client to authenticate itself.
MS-CHAP
Cisco Secure ACS supports Microsoft Challenge-Handshake Authentication
Protocol (MS-CHAP) for user authentication. Differences between MS-CHAP
and standard CHAP are the following:
The MS-CHAP Response packet is in a format compatible with Microsoft
WindowsNT/2000, Windows 95/98/ME, and LAN Manager 2.x. The
MS-CHAP format does not require the authenticator to store a clear-text or
reversibly encrypted password.
MS-CHAP provides an authentication-retry mechanism controlled by the
authenticator.
MS-CHAP provides additional failure codes in the Failure packet Message
field.
For more information on MS-CHAP, refer to RFC
draft-ietf-pppext-mschap-00.txt, RADIUS Attributes for MS-CHAP Support.