Enterasys Networks X-PeditionTM manual Password Authentication Protocol PAP

PPP Features

Authentication

Authentication protocols, as referenced in RFC-1334, are used primarily by hosts and routers to connect to a PPP network server via switched circuits or dialup lines, but might be applied to dedicated links as well. The server can use identification of the connecting host or router to select options for network layer negotiations.

The authentication protocol used is negotiated with the peer entity via LCP configuration options. If the authentication option is successfully negotiated, the LCP module initiates authentication after link establishment. This module performs authentication and the result is communicated to the LCP module. If authentication succeeds, LCP informs NCP that the PPP link is operational. If authentication fails, it closes the PPP link and generates an error message.

Password Authentication Protocol (PAP)

The Password Authentication Protocol (PAP) is a simple method for the peer to establish its identity using a two-way handshake. PAP authentication occurs only upon initial link establishment. After this phase is complete, the peer repeatedly sends an ID/Password pair to the authenticator until authentication is acknowledged or the connection closed.

PAP is not a strong authentication method because passwords are sent over a circuit in the clear with no protection from playback or repeated trial and error attacks. The peer controls the frequency and timing of authentication tries.

PAP is most appropriate where a plaintext password must be available to simulate a login at a remote host. In such a use, PAP provides a similar level of security to the usual user login at the remote host.

Challenge Handshake Authentication Protocol (CHAP)

The Challenge Handshake Authentication Protocol (CHAP), as referenced in RFC-1994, periodically verifies the identity of the peer using a 3-way handshake. This occurs upon initial link establishment, and may be repeated anytime after the link has been established.

After the link establishment phase is complete, the authenticator sends a “challenge” message to the peer. The peer responds with a value calculated using a “one-way hash” function.

The authenticator checks the response against its own calculation of the expected hash value. If the values match the connection is accepted, otherwise the connection is ended. CHAP uses MD5 as its hashing algorithm.

CHAP protects against playback attack with an incrementally changing identifier and a variable challenge value. The use of repeated challenges is intended to limit the time of exposure to any single attack. The authenticator controls the frequency and timing of the challenges.

CHAP depends upon a secret known only to the authenticator and that peer. The secret is not sent over the link. CHAP is most likely used where the same secret is easily accessed from both ends of the link.

Microsoft Challenge Handshake Protocol (MS-CHAP)

MS-CHAP, referenced in RFC-2433, authenticates remote Windows workstations, providing the functionality to which LAN-based users are accustomed while integrating the encryption and hashing algorithms used on Windows networks. MS-CHAP is closely derived from the PPP CHAP with the exception that it uses MD4 as its hashing algorithm.

XSR User’s Guide 8-3