Policy Server Guides › Policy Server Configuration Guide › Authentication Schemes › RADIUS CHAP/PAP Authentication Schemes

RADIUS CHAP/PAP Authentication Schemes

The RADIUS protocol can be used to implement CHAP or PAP based authentication.

PAP Overview

The Password Authentication Protocol (PAP) provides a simple method for a user to authenticate using a 2-way handshake. PAP only executes this process during the initial link to the authenticating server. With this scheme, an Id/Password pair is repeatedly sent by the user’s machine to the authenticating server until authentication is acknowledged or the connection is terminated.

This authentication method is most appropriately used where a plain text password must be available to simulate a login at a remote host. In such use, this method provides a similar level of security to the usual user login at the remote host.

CHAP Overview

CHAP (Challenge-Handshake Authentication Protocol) is a more secure authentication scheme than PAP. In a CHAP scheme, the following takes place in order to establish a user’s identity:

1. After the link between the user’s machine and the authenticating server is made, the server sends a challenge message to the connection requester. The requester responds with a value obtained by using a one-way hash function.
2. The server checks the response by comparing it against its own calculation of the expected hash value.
3. If the values match, the authentication is acknowledged; otherwise the connection is usually terminated.

At any time, the server can request the connected party to send a new challenge message. Because CHAP identifiers are changed frequently and because authentication can be requested by the server at any time, CHAP provides more security than PAP.

RADIUS CHAP/PAP Scheme Overview

The RADIUS CHAP/PAP scheme authenticates users by computing the digest of a user’s password, and then comparing it to the CHAP password in the RADIUS packet. The digest consists of the user’s hashed password, which is calculated using a directory attribute specified during the configuration of the RADIUS CHAP/PAP authentication scheme.

RADIUS CHAP/PAP Scheme Prerequisites

Be sure that the following prerequisites are met before configuring a RADIUS CHAP/PAP authentication scheme:

• The field in the user directory specified for the clear text password contains a value.
• The Policy Server is not operating in FIPS–only mode. If the Policy Server is operating in FIPS–only mode, a RADIUS CHAP/PAP authentication scheme is not supported.

Configure a RADIUS CHAP/PAP Authentication Scheme

You can use a RADIUS CHAP/PAP authentication scheme when you are using the RADIUS protocol.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

Follow these steps:

1. Click Infrastructure, Authentication.
2. Click Authentication Schemes.

   The Authentication Schemes page appears.

3. Click Create Authentication Scheme.

   Verify that the Create a new object of type Authentication Scheme is selected.

4. Click OK

   The Create Authentication Scheme page appears.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

5. Enter a name and protection level.
6. Select RADIUS CHAP/PAP Template from the Authentication Scheme Type list.

   Scheme-specific settings appears.

7. Specify the clear text password in Scheme Setup section.
8. Click Submit.

   The authentication scheme is saved and may be assigned to a realm.

RADIUS Server Authentication Schemes

CA SiteMinder® supports the RADIUS protocol by using the Policy Server as the RADIUS server and an NAS client as the RADIUS client. RADIUS Agents allow the Policy Server to communicate with the NAS client devices. In the RADIUS Server authentication scheme the Policy Server acts as a RADIUS server attached to the CA SiteMinder® protected network.

This scheme accepts user name and password as credentials. Multiple instances of this scheme can be defined. This scheme does not interpret RADIUS attributes that may be returned by the RADIUS server in the authentication response.

For more information on RADIUS Server authentication with CA SiteMinder®, see the material on using the Policy Server as a RADIUS server in the Policy Server Administration guide.

RADIUS Server Scheme Prerequisites

Be sure that the following prerequisites are met before configuring a RADIUS Server authentication scheme:

• The RADIUS server is on a network accessible by the Policy Server.
• The Policy Server is not operating in FIPS–only mode. If the Policy Server is operating in FIPS–only mode, a RADIUS Server authentication scheme is not supported.

Configure a RADIUS Server Authentication Scheme

You can use a RADIUS Server authentication scheme when you are using the Policy Server as the RADIUS Server and a NAS client as a RADIUS client.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

Follow these steps:

1. Click Infrastructure, Authentication.
2. Click Authentication Schemes.

   The Authentication Schemes page appears.

3. Click Create Authentication Scheme.

   Verify that the Create a new object of type Authentication Scheme is selected.

4. Click OK

   The Create Authentication Scheme page appears.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

5. Enter a name and a protection level.
6. Select RADIUS Server Template from the Authentication Scheme Type list.

   Scheme-specific settings appear.

7. Enter the RADIUS server IP address, port number, and shared secret in Scheme Setup.
8. Click Submit.

   The authentication scheme is saved and may be assigned to a realm.