peapMSCHAPV2

Peer                                   radius

----                                    -------------

 

	<- EAP-Request/Identity
EAP-Response/ Identity (MyID) ->
	<- EAP-Request/                           EAP-Type=EAP MS-CHAP-V2                           (Challenge[16])
EAP-Response/ EAP-Type=EAP-MS-CHAP-V2 (Response)-> 16 octets: Peer-Challenge 8 octets: Reserved, must be zero 24 octets: NT-Response 1 octet : Flags
	<- EAP-Request/                           EAP-Type=EAP-MS-CHAP-V2                           (Success) S=<auth_string> M=<message>"   <auth_string>   GenerateAuthenticatorResponse(  Password,  NTResponse, PeerChallenge,  AuthenticatorChallenge, UserName,AuthenticatorResponses );   GenerateAuthenticatorResponse()      GenerateAuthenticatorResponse(    IN  0-to-256-unicode-char Password,    IN  24-octet              NT-Response,    IN  16-octet              PeerChallenge,    IN  16-octet              AuthenticatorChallenge,    IN  0-to-256-char         UserName,    OUT 42-octet              AuthenticatorResponse )    {       16-octet              PasswordHash       16-octet              PasswordHashHash       8-octet               Challenge         /*        * "Magic" constants used in response generation        */         Magic1[39] =          {0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,           0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,           0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,           0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74};         Magic2[41] =          {0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,           0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,           0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,           0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,           0x6E};         /*        * Hash the password with MD4        */         NtPasswordHash( Password, giving PasswordHash )         /*        * Now hash the hash        */         HashNtPasswordHash( PasswordHash, giving PasswordHashHash)         SHAInit(Context)       SHAUpdate(Context, PasswordHashHash, 16)       SHAUpdate(Context, NTResponse, 24)       SHAUpdate(Context, Magic1, 39)       SHAFinal(Context, Digest)         ChallengeHash( PeerChallenge, AuthenticatorChallenge, UserName,                      giving Challenge)         SHAInit(Context)       SHAUpdate(Context, Digest, 20)       SHAUpdate(Context, Challenge, 8)       SHAUpdate(Context, Magic2, 41)       SHAFinal(Context, Digest)         /*        * Encode the value of 'Digest' as "S=" followed by        * 40 ASCII hexadecimal digits and return it in        * AuthenticatorResponse.        * For example,        *   "S=0123456789ABCDEF0123456789ABCDEF01234567"        */      }
EAP-Response/ EAP-Type=EAP-MS-CHAP-V2 (Success) ->
	<- EAP-Success

 

 

 

 

 

In the case where the EAP MS-CHAP-V2 authentication is unsuccessful, due

to a retryable error, the conversation will appear as follows (assuming

a maximum of two retries):

 

 

Peer                   Authenticator

----                   -------------

                       <- EAP-Request/Identity

EAP-Response/

Identity (MyID) ->

                       <- EAP-Request/

                          EAP-Type=EAP MS-CHAP-V2

                          (Challenge)

EAP-Response/

EAP-Type=EAP-MS-CHAP-V2

(Response)->

                       <- EAP-Request/

                          EAP-Type=EAP-MS-CHAP-V2

                         (Failure, R=1)

EAP-Response/

EAP-Type=EAP-MS-CHAP-V2

(Response) ->

                       <- EAP-Request/

                          EAP-Type=EAP-MS-CHAP-V2

                         (Failure, R=1)