3Com MSR 50 Series Configuration Manual page 364

364 C 19: PPP
HAPTER AND
MP C
ONFIGURATION
Figure 91 PAP Authentication
Authenticator
During PAP authentication, the password is transmitted on the link in plain text. In
addition, the authenticatee sends the username and the password repeatedly
through the established PPP link until the authentication is over. So PAP is not a
secure authentication protocol. It cannot prevent attacks.
CHAP authentication
Challenge-handshake authentication protocol (CHAP) is a three-way handshake
authentication protocol using ciphertext password.
Currently, two types of CHAP authentication exist: one-way CHAP authentication
and two-way CHAP authentication. By one-way CHAP authentication, one side of
the link acts as the authenticator and the other acts as the authenticatee. By
two-way authentication, each side serves as both the authenticator and the
authenticatee. Normally, one-way CHAP authentication is adopted.
CHAP authentication is performed as follows:
1 The authenticator actively initiates an authentication request by sending a
randomly generated packet (Challenge) carrying its own username to the
authenticatee.
2 When the authenticatee receives the authentication request, it looks up its local
user database for a password matching to the username in the packet. If a match
is found, the authenticatee encrypts this packet based on the packet ID, password
and the MD5 algorithm; and then sends back to the authenticator a Response
carrying the generated ciphertext and its own username.
3 If the authenticatee fails to find a match, it will check its local interface for the
default CHAP password. If the CHAP password has been configured, the
authenticatee encrypts this packet based on the packet ID, the default password
and the MD5 algorithm; and then sends back to the authenticator a Response
carrying the generated ciphertext and its own username.
4 After receiving the Response, the authenticator encrypts the original randomly
generated packet based on the authenticatee password it keeps and the MD5
algorithm. The authenticator then compares the result of the encryption with the
ciphertext received, and returns an Acknowledge or Not Acknowledge packet
depending on the comparison result.
Sending the user
name and the
password
Ack or Not Ack
Authenticatee