The RADIUS protocol can be used to implement CHAP or PAP based authentication.
The Password Authentication Protocol (PAP) provides a simple method for a user to authenticate using a 2-way handshake. PAP only executes this process during the initial link to the authenticating server. With this scheme, an Id/Password pair is repeatedly sent by the user’s machine to the authenticating server until authentication is acknowledged or the connection is terminated.
This authentication method is most appropriately used where a plain text password must be available to simulate a login at a remote host. In such use, this method provides a similar level of security to the usual user login at the remote host.
CHAP (Challenge-Handshake Authentication Protocol) is a more secure authentication scheme than PAP. In a CHAP scheme, the following takes place in order to establish a user’s identity:
At any time, the server can request the connected party to send a new challenge message. Because CHAP identifiers are changed frequently and because authentication can be requested by the server at any time, CHAP provides more security than PAP.
The RADIUS CHAP/PAP scheme authenticates users by computing the digest of a user’s password, and then comparing it to the CHAP password in the RADIUS packet. The digest consists of the user’s hashed password, which is calculated using a directory attribute specified during the configuration of the RADIUS CHAP/PAP authentication scheme.
Be sure that the following prerequisites are met before configuring a RADIUS CHAP/PAP authentication scheme:
You can use a RADIUS CHAP/PAP authentication scheme when you are using the RADIUS protocol.
Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
Follow these steps:
The Authentication Schemes page appears.
Verify that the Create a new object of type Authentication Scheme is selected.
The Create Authentication Scheme page appears.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Scheme-specific settings appears.
The authentication scheme is saved and may be assigned to a realm.
CA SiteMinder® supports the RADIUS protocol by using the Policy Server as the RADIUS server and an NAS client as the RADIUS client. RADIUS Agents allow the Policy Server to communicate with the NAS client devices. In the RADIUS Server authentication scheme the Policy Server acts as a RADIUS server attached to the CA SiteMinder® protected network.
This scheme accepts user name and password as credentials. Multiple instances of this scheme can be defined. This scheme does not interpret RADIUS attributes that may be returned by the RADIUS server in the authentication response.
For more information on RADIUS Server authentication with CA SiteMinder®, see the material on using the Policy Server as a RADIUS server in the Policy Server Administration guide.
Be sure that the following prerequisites are met before configuring a RADIUS Server authentication scheme:
You can use a RADIUS Server authentication scheme when you are using the Policy Server as the RADIUS Server and a NAS client as a RADIUS client.
Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
Follow these steps:
The Authentication Schemes page appears.
Verify that the Create a new object of type Authentication Scheme is selected.
The Create Authentication Scheme page appears.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Scheme-specific settings appear.
The authentication scheme is saved and may be assigned to a realm.
Copyright © 2013 CA.
All rights reserved.
|
|