RE: RE: Amazing but true

From: Jonathan V Hays (jhays@jtan.com)
Date: Fri Feb 28 2003 - 15:00:52 GMT-3

• Next message: gary lileikis: "Netflow Application Software For Windows"
• Previous message: kasturi cisco: "Re: ISIS: outgoing-metric"
• Maybe in reply to: Frank Jimenez: "RE: Amazing but true"
• Next in thread: Jonathan V Hays: "RE: RE: Amazing but true"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

According to "Cisco CCNP Remote Access Exam Certification Guide"
p.108-109:

There are specific steps involved in a CHAP negotiation:

Step 1 Making a call

The inbound call arrives at the PPP configured interface. LCP opens the
CHAP negotiation and the access server initiates a challenge.

Step 2 Conveying the challenge

When the access server sends the challenge, a challenge packet is
constructed. The packet consists of a challenge packet type identifier,
a sequence number for the challenge, a random number (as random as an
algorithm can be), and the authentication name of the called party. The
calling party must process the challenge packet as follows:

 (a) The ID value from the challenge packet is fed into the MD5 hash
generator.

 (b) The random value is fed into the MD5 hash generator.

 (c) The authentication name of the called party is used to look up the
password.

 (d) The password is fed into the MD5 hash generator.

The resulting value is the one-way MD5 CHAP challenge that is forwarded
to the called party in response to the challenge. This value is always
128 bits in length.

Step 3 Answering the challenge

Once the reply is hashed and generated, it can be sent back. The
response has a CHAP response packet type identifier, the id from the
challenge packet, the output from the hash, and the authentication name
of the calling party. The response packet is then sent to the called
party.

Step 4 Verifying

The called party processes the response packet as follows:

(a) The ID is used to find the original challenge packet.

(b) The ID is fed into the MD5 hash generator.

(c) The original challenge random number value is fed into the MD5 hash
generator.

(d) The authentication name of the calling party is compared to the
username/password list in the router or in an authentication server.

(e) The password is fed into the MD5 hash generator.

(f) The hash value received in the response packet is compared to the
result of the hash value just generated.

The authentication succeeds only if the hash value received from the
calling party (from Step 2) matches the calculated hash value (from Step
4).

Step 5 Constructing the result

If the values of the hash calculations match, the authentication is
successful and a CHAP success packet is constructed. It contains a CHAP
success message type and the id from the response packet.

If the authentication fails, a CHAP failure packet is constructed. It
contains a CHAP failure message type and the ID from the response
packet. Indication of success or failure is then sent to the calling
party.

• Next message: gary lileikis: "Netflow Application Software For Windows"
• Previous message: kasturi cisco: "Re: ISIS: outgoing-metric"
• Maybe in reply to: Frank Jimenez: "RE: Amazing but true"
• Next in thread: Jonathan V Hays: "RE: RE: Amazing but true"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:39 GMT-3