Table of Contents
Advertisement
Authentication
Authentication protocols, as referenced in RFC-1334, are used primarily by hosts and routers to
connect to a PPP network server via switched circuits or dialup lines, but might be applied to
dedicated links as well. The server can use identification of the connecting host or router to select
options for network layer negotiations.
The authentication protocol used is negotiated with the peer entity via LCP configuration options.
If the authentication option is successfully negotiated, the LCP module initiates authentication
after link establishment. This module performs authentication and the result is communicated to
the LCP module. If authentication succeeds, LCP informs NCP that the PPP link is operational. If
authentication fails, it closes the PPP link and generates an error message.
Password Authentication Protocol (PAP)
The Password Authentication Protocol (PAP) is a simple method for the peer to establish its
identity using a two-way handshake. PAP authentication occurs only upon initial link
establishment. After this phase is complete, the peer repeatedly sends an ID/Password pair to the
authenticator until authentication is acknowledged or the connection closed.
PAP is not a strong authentication method because passwords are sent over a circuit in the clear
with no protection from playback or repeated trial and error attacks. The peer controls the
frequency and timing of authentication tries.
PAP is most appropriate where a plaintext password must be available to simulate a login at a
remote host. In such a use, PAP provides a similar level of security to the usual user login at the
remote host.
Challenge Handshake Authentication Protocol (CHAP)
The Challenge Handshake Authentication Protocol (CHAP), as referenced in RFC-1994,
periodically verifies the identity of the peer using a 3-way handshake. This occurs upon initial link
establishment, and may be repeated anytime after the link has been established.
After the link establishment phase is complete, the authenticator sends a "challenge" message to
the peer. The peer responds with a value calculated using a "one-way hash" function.
The authenticator checks the response against its own calculation of the expected hash value. If
the values match the connection is accepted, otherwise the connection is ended. CHAP uses MD5
as its hashing algorithm.
CHAP protects against playback attack with an incrementally changing identifier and a variable
challenge value. The use of repeated challenges is intended to limit the time of exposure to any
single attack. The authenticator controls the frequency and timing of the challenges.
CHAP depends upon a secret known only to the authenticator and that peer. The secret is not sent
over the link. CHAP is most likely used where the same secret is easily accessed from both ends of
the link.
Microsoft Challenge Handshake Protocol (MS-CHAP)
MS-CHAP, referenced in RFC-2433, authenticates remote Windows workstations, providing the
functionality to which LAN-based users are accustomed while integrating the encryption and
hashing algorithms used on Windows networks. MS-CHAP is closely derived from the PPP
CHAP with the exception that it uses MD4 as its hashing algorithm.
PPP Features
XSR User's Guide 8-3
Advertisement
Table of Contents
Troubleshooting
