IBM SC30-3681-08 Challenge-Handshake Authentication Protocol (CHAP), Microsoft PPP CHAP Authentication (MS-CHAP), Shiva Password Authentication Protocol (SPAP)

The Challenge-Handshake Authentication Protocol (CHAP) is used to periodically

verify the identity of the peer using a three-way handshake. This is done upon initial

link establishment, and

be repeated anytime after the link has been

established. After the initial link establishment, the authenticator sends a “challenge”

message to the peer. The peer responds with a value calculated using a “one-way

hash” function. The authenticator checks the response against its own calculation of

the expected hash value. If the values match, the authentication is acknowledged;

otherwise the connection is terminated.

each protocol uses a random challenge which is encrypted as part of the response.

MS-CHAP permits remote Windows workstations to change their passwords;

however, MS-CHAP requires that the remote peer’s password has expired before

the remote user is prompted to change the password.

MS-CHAP can be used with the internal PPP user Local List database, but

the external AAAauthentication server that is described in the chapter “Using Local

or Remote Authentication” in

Using and Configuring Features

. If you plan to use

Microsoft PPP Encryption (MPPE) on a PPP interface, you must enable MS-CHAP

the peer to establish its identity using a 2-way handshake similar to PAP.After the

Link Establishment phase is complete, an Id/Password is repeatedly sent by the

peer to the authenticator until authentication is acknowledged, the connection is

terminated, or a retry counter expires.

SPAPis a moderately strong authentication protocol that uses a proprietary

encryption algorithm for the password. In addition to authentication, SPAPoffers:

Note: SPAPchange password support is only available when the local PPP user

list is used for authentication.