Using PPP

Challenge-Handshake Authentication Protocol (CHAP)

 

The Challenge-Handshake Authentication Protocol (CHAP) is used to periodically

 

verify the identity of the peer using a three-way handshake. This is done upon initial

 

link establishment, and may be repeated anytime after the link has been

 

established. After the initial link establishment, the authenticator sends a ªchallengeº

 

message to the peer. The peer responds with a value calculated using a ªone-way

 

hashº function. The authenticator checks the response against its own calculation of

 

the expected hash value. If the values match, the authentication is acknowledged;

otherwise the connection is terminated.

Microsoft PPP CHAP Authentication (MS-CHAP)

Note: MS-CHAP is not available in 4M V2L images.

MS-CHAP is an extension to PPP CHAP that is used to authenticate remote

Windows workstations and peer routers. Both MS-CHAP and CHAP use PPP's Link

Control Protocol (LCP) to negotiate the desired authentication protocol in one or

both directions; both use the CHAP protocol identi®er as the PPP protocol; and

each protocol uses a random challenge which is encrypted as part of the response.

MS-CHAP permits remote Windows workstations to change their passwords;

however, MS-CHAP requires that the remote peer's password has expired before

the remote user is prompted to change the password.

MS-CHAP can be used with the internal PPP user Local List database, but not with

the external AAA authentication server that is described in the chapter ªUsing Local

or Remote Authenticationº in Using and Con®guring Features. If you plan to use

Microsoft PPP Encryption (MPPE) on a PPP interface, you must enable MS-CHAP

on that interface before you con®gure MPPE. Use the talk 6 commandenable

mschap to enable MS-CHAP.

 

Shiva Password Authentication Protocol (SPAP)

 

Note: SPAP is only available on interfaces that have IBM DIALs Dial-In circuits

 

con®gured.

 

The Shiva Password Authentication Protocol (SPAP) provides a simple method for

 

the peer to establish its identity using a 2-way handshake similar to PAP. After the

 

Link Establishment phase is complete, an Id/Password is repeatedly sent by the

 

peer to the authenticator until authentication is acknowledged, the connection is

 

terminated, or a retry counter expires.

 

SPAP is a moderately strong authentication protocol that uses a proprietary

 

encryption algorithm for the password. In addition to authentication, SPAP offers:

 

v The ability to change a password.

 

Note: SPAP change password support is only available when the local PPP user

 

list is used for authentication.

 

v The ability for the router to send a con®gurable banner requiring acknowledgment

 

from the client after password authentication.

 

v The ability to use callback as an additional security feature.

v Virtual connections.

Chapter 32. Using Point-to-Point Protocol Interfaces 457

Page 493
Image 493
IBM SC30-3681-08 manual Challenge-Handshake Authentication Protocol Chap, Microsoft PPP Chap Authentication MS-CHAP