Policy Server Guides › Policy Server Configuration Guide › Authentication Schemes › RADIUS CHAP/PAP Authentication Schemes › CHAP Overview
CHAP Overview
CHAP (Challenge-Handshake Authentication Protocol) is a more secure authentication scheme than PAP. In a CHAP scheme, the following takes place in order to establish a user's identity:
- After the link between the user's machine and the authenticating server is made, the server sends a challenge message to the connection requester. The requester responds with a value obtained by using a one-way hash function.
- The server checks the response by comparing it against its own calculation of the expected hash value.
- If the values match, the authentication is acknowledged; otherwise the connection is usually terminated.
At any time, the server can request the connected party to send a new challenge message. Because CHAP identifiers are changed frequently and because authentication can be requested by the server at any time, CHAP provides more security than PAP.