CHAP
CHAP is based on the premise that the password should never be sent
in any packet across a network. CHAP dynamically encrypts the
requesting user’s ID and password. The
user’s machine then goes through its logon
procedure, having obtained a key from the RADIUS client equipment of
at least 16 octets in length. The client then hashes that key and
sends back a CHAP ID, a CHAP response, and the username to the RADIUS
client. The RADIUS client, having received all of the above, places
the CHAP ID field into the appropriate places in the
CHAP-Password attribute and then sends a response.
The challenge value originally obtained is placed in either the
CHAP-Challenge attribute or in the authenticator
field in the header—this is so the server can easily access the
value in order to authenticate the user.
To authenticate the user, the RADIUS server uses the
CHAP-Challenge value, the CHAP ID, and the
password on record for that particular user and submits it to another
MD5 hashing algorithm. The result of this algorithm should be
identical to the value found in the CHAP-Password
attribute. If it’s not, the server must deny the
request; otherwise, the request is granted.
The fact that the password in a CHAP transaction is never passed across the network is just one reason why CHAP is an appealing authentication protocol. How does this work? The user data against which the hashing routine is run returns a one-way value that does not contain the password. So the server must have the current ...