From: Bogdan Sass (bogdan.sass@catc.ro)
Date: Tue Aug 26 2008 - 05:26:29 ART
Mark Stephanus Chandra wrote:
> ooh I see,
>
> But in my understanding till now, CHAP Authentication should do both ways.
> R1 have to authenticate to R3 and R3 also have to authenticate to R1. That
> how Chap works in my understanding.
>
> In Your explanation, that means chap works like PAP, just one way
> authentication, the difference just in password hashing cause in chap the
> password using md5 and pap using clear text.
>
>
It depends on what you understand by "both ways". :)
Just like you said, CHAP auth. is always done through packets sent
by both sides (challenge/response/ack). However, CHAP authentication
(like most of the other types of authentication) can be uni- or
bidirectional. Unidirectional means that only one of the sides will send
a challenge to authenticate the other, bidirectional means they both will.
Basically, in bidirectional authentication, the same exchange of
packets (challenge/response/ack) takes place twice: once from R2 to R1,
and once from R1 to R2. I like to think of the two exchanges separately
(R2 authenticates R1; then R1 authenticates R2), even though they
actually take place at the same time.
Below is a sample debug output of bidirectional authentication. I
did a little copy/pasting in order to show what I mean by "two exchanges" :)
*Mar 1 00:02:28.539: Vi1 CHAP: O CHALLENGE id 2 len 28 from "R2"
*Mar 1 00:02:28.579: Vi1 CHAP: I RESPONSE id 2 len 28 from "R3"
*Mar 1 00:02:28.643: Vi1 CHAP: O SUCCESS id 2 len 4
*Mar 1 00:02:28.543: Vi1 CHAP: I CHALLENGE id 2 len 28 from "R3"
*Mar 1 00:02:28.575: Vi1 CHAP: O RESPONSE id 2 len 28 from "R2"
*Mar 1 00:02:28.619: Vi1 CHAP: I SUCCESS id 2 len 4
-- Bogdan Sass CCAI,CCNP,CCSP,JNCIA-ER Information Systems Security Professional "Curiosity was framed - ignorance killed the cat"Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:32 ART