∙A “challenge value” (a randomly generated string of characters)
The challenged system then concatenates the challenge value with the shared secret and passes the new string through a hashing algorithm. When the hashing algorithm has formed a response based on this string, the challenged system replies with a packet containing both the response value and a user name.
The authenticating host looks up the correct password for the user name received and then performs the same calculations the client performed, comparing the result to the response value received. If the results match, the challenged system is allowed to pass through. However, the authenticating host can issue additional CHAP challenges at any time during the connection.
Note: both ends of the connection must be using the same hashing algorithm for the connection to succeed. The NETServer uses an algorithm called MD5.
CHAP Setup for the NETServer
Because both sides of a CHAP connection need to look up a password, each side requires a user table entry for the other system. Note that each of these user table entries must have a password and the passwords must be identical.
∙Whether dialing in or authenticating, the NETServer puts its Sysname in the user name field. This means that the remote system must have a user table entry with this user name.
∙The NETServer must have a (network user) user table entry for the user name the remote system sends. Note that if the remote device is another NETServer, it will be sending its Sysname.
∙These user table entries must not be configured as dialback users.
