Policy Server Guides › Policy Server Configuration Guide › Authentication Schemes › RADIUS CHAP/PAP Authentication Schemes

RADIUS CHAP/PAP Authentication Schemes

A digest authentication scheme reads an encrypted user attribute string that is stored in a directory. The scheme then compares the string to the encrypted string it receives from the user. If the encrypted strings match, the Policy Server authenticates the user. The comparison of the encrypted strings occurs without using an encrypted transmission.

The following digest authentication schemes are available:

• RADIUS CHAP
• RADIUS PAP

PAP Overview

The Password Authentication Protocol (PAP) provides a simple method for a user to authenticate using a two-way handshake. PAP only executes this process during the initial link to the authenticating server. A user’s machine repeatedly sends an Id/Password pair to the authenticating server until authentication is acknowledged or the connection is terminated.

This authentication method is most appropriately used where a plain text password must be available to simulate a login at a remote host. In such use, this method provides a similar level of security to the usual user login at the remote host.

CHAP Overview

CHAP (Challenge-Handshake Authentication Protocol) is a more secure authentication scheme than PAP. In a CHAP scheme, the following process occurs to establish a user’s identity:

1. After the link between the user’s machine and the authenticating server is made, the server sends a challenge message to the connection requester. The requester responds with a value obtained by using a one-way hash function.
2. The server checks the response by comparing it against its own calculation of the expected hash value.
3. If the values match, the authentication is acknowledged; otherwise the connection is terminated.

At any time, the server can request the connected party to send a new challenge message. CHAP identifiers are changed frequently and the server can make an authentication request at any time, CHAP provides more security than PAP.

RADIUS CHAP/PAP Scheme Overview

The RADIUS CHAP/PAP scheme authenticates users by computing the digest of a user's password. The Policy Server then compares the digest to the CHAP password in the RADIUS packet. The digest consists of the hashed password, which is calculated using a directory attribute. This attribute is specified during the configuration of the RADIUS CHAP/PAP authentication scheme.

RADIUS CHAP/PAP Scheme Prerequisites

Meet the following prerequisites before configuring a RADIUS CHAP/PAP authentication scheme:

• The field in the user directory that is specified for the clear text password contains a value.
• The Policy Server is not operating in FIPS–only mode. If the Policy Server is operating in FIPS–only mode, a RADIUS CHAP/PAP authentication scheme is not supported.

Configure a RADIUS CHAP/PAP Authentication Scheme

Use a RADIUS CHAP/PAP authentication scheme when you are using the RADIUS protocol.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

Follow these steps:

1. Click Infrastructure, Authentication.
2. Click Authentication Schemes.
3. Click Create Authentication Scheme.

   Verify that the Create a new object of type Authentication Scheme is selected.

   Click OK

4. Enter a name and protection level.
5. Select RADIUS CHAP/PAP Template from the Authentication Scheme Type list.
6. Specify the clear text password in Scheme Setup section.
7. Click Submit.

   The authentication scheme is saved and may be assigned to a realm.

RADIUS Server Authentication Schemes

The RADIUS protocol is supported by letting the Policy Server act as the RADIUS server. A NAS client acts as the RADIUS client. RADIUS Agents let the Policy Server communicate with the NAS client devices. In the RADIUS server authentication scheme, the Policy Server is attached to the protected network.

This scheme accepts user name and password as credentials. Multiple instances of this scheme can be defined. This scheme does not interpret RADIUS attributes that may be returned by the RADIUS server in the authentication response.

For more information on RADIUS Server authentication, see the Policy Server Administration Guide.

RADIUS Server Scheme Prerequisites

Complete following prerequisites before configuring a RADIUS server authentication scheme:

• The RADIUS server is on a network accessible by the Policy Server.
• The Policy Server is not operating in FIPS–only mode. If the Policy Server is operating in FIPS–only mode, a RADIUS Server authentication scheme is not supported.

Configure a RADIUS Server Authentication Scheme

Use a RADIUS Server authentication scheme when you are using the Policy Server as the RADIUS Server and a NAS client as a RADIUS client.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

Follow these steps:

1. Click Infrastructure, Authentication.
2. Click Authentication Schemes.
3. Click Create Authentication Scheme.

   Verify that the Create a new object of type Authentication Scheme is selected.

   Click OK

4. Enter a name and a protection level.
5. Select RADIUS Server Template from the Authentication Scheme Type list.
6. Enter the RADIUS server IP address, port number, and shared secret in Scheme Setup.
7. Click Submit.

   The authentication scheme is saved. You can assign it to a realm.