CHAP in Action Verification

© 2004 Cisco Systems, Inc. All rights re

This figure shows the response packet processing that occurs on the challenger. The CHAP response packet is processed in the following manner:

1. The "id" value is used to find the original challenge packet.

2. The "id" value is fed into the MD5 hash generator.

3. The original challenge "random" value is fed into the MD5 hash generator.

4. The name "RouterB" is used to look up the password (this name can be used to identify this session) from the local database, TACACS server, or RADIUS server.

5. The password is fed into the MD5 hash generator.

6. The hash value received in the response packet is then compared to the calculated MD5 hash value.

CHAP authentication succeeds if the calculated and the received hash values are equal.

CHAP in Action—Result

© 2004 Cisco Systems, Inc. All rights re

The figure illustrates the success message being sent to the calling router.

If authentication is successful, a CHAP success packet is built from the following components:

■ "id" = number copied from the response packet

■ "Welcome in" is simply a text message of some kind, meant to be a user-readable explanation

If authentication fails, a CHAP failure packet is built from the following components:

"id" = number copied from the response packet

"Authentication failure" or some such text message, meant to be a user-readable explanation

The success or failure packet is then sent to the caller.

0 0

Post a comment