The RADIUS protocol can be used to implement CHAP or PAP based authentication.
The Password Authentication Protocol (PAP) provides a simple method for a user to authenticate using a 2-way handshake. PAP only executes this process during the initial link to the authenticating server. With this scheme, an Id/Password pair is repeatedly sent by the user’s machine to the authenticating server until authentication is acknowledged or the connection is terminated.
This authentication method is most appropriately used where a plain text password must be available to simulate a login at a remote host. In such use, this method provides a similar level of security to the usual user login at the remote host.
CHAP (Challenge-Handshake Authentication Protocol) is a more secure authentication scheme than PAP. In a CHAP scheme, the following takes place in order to establish a user’s identity:
At any time, the server can request the connected party to send a new challenge message. Because CHAP identifiers are changed frequently and because authentication can be requested by the server at any time, CHAP provides more security than PAP.
The RADIUS CHAP/PAP scheme authenticates users by computing the digest of a user’s password, and then comparing it to the CHAP password in the RADIUS packet. The digest consists of the user’s hashed password, which is calculated using a directory attribute specified during the configuration of the RADIUS CHAP/PAP authentication scheme.
Be sure that the following prerequisites are met before configuring a RADIUS CHAP/PAP authentication scheme:
|
Copyright © 2012 CA.
All rights reserved.
|
|