108 Chapter 5: Configuring PPP and Controlling Network Access
There are specific steps involved in a CHAP negotiation:
Step 1
Making a call--The inbound call arrives at the PPP configured
interface. LCP opens the CHAP negotiation and the access server
initiates a challenge.
Step 2
Conveying the challenge--When the access server sends the
challenge, a challenge packet is constructed. The packet consists
of a challenge packet type identifier, a sequence number for the
challenge, a random number (as random as an algorithm can be),
and the authentication name of the called party.
The calling party must process the challenge packet as follows:
(a)
The ID value from the challenge packet is fed into the MD5
hash generator.
(b)
The random value is fed into the MD5 hash generator.
(c)
The authentication name of the called party is used to look
up the password.
(d)
The password is fed into the MD5 hash generator.
The resulting value is the one-way MD5 CHAP challenge that is
forwarded to the called party in response to the challenge. This
value is always 128 bits in length.
Step 3
Answering the challenge--Once the reply is hashed and
generated, it can be sent back. The response has a CHAP response
packet type identifier, the id from the challenge packet, the output
from the hash, and the authentication name of the calling party.
The response packet is then sent to the called party.
Step 4
Verifying--The called party processes the response packet as
follows:
(a)
The ID is used to find the original challenge packet.
(b)
The ID is fed into the MD5 hash generator.
(c)
The original challenge random number value is fed into the
MD5 hash generator.
(d)
The authentication name of the calling party is compared to
the username/password list in the router or in an
authentication server.
(e)
The password is fed into the MD5 hash generator.
(f)
The hash value received in the response packet is compared
to the result of the hash value just generated.