The Apple Remote Access Protocol (ARAP) sends traffic based on the AppleTalk protocol across PPP links and ISDN switched-circuit networks. ARAP is still pervasive in the Apple market, although the company is attempting to transition into an Apple-specific TCP stack for use over a PPP link. ARAP support is typically found in most RADIUS client gear, and RADIUS now supports authenticating based on the ARAP protocol.
ARAP authentication typically takes one to two steps, as follows:
The first step is basically a mutual authentication with an exchange
of random numbers signed with a key, which
happens to be the user’s password. The RADIUS client
challenges and authenticates the dial-in client, and the dial-in
client challenges and authenticates the RADIUS client challenges.
First, the RADIUS client sends random numbers of 32 bits to the
dial-in client inside an ARAP
packet. Then, the dial-in client uses his password to encrypt the two
random numbers sent by the RADIUS client with DES. The dial-in client
sends the result back in a
packet. Finally, the RADIUS client unencrypts the message based on
the password it has on record for the user and verifies the random
numbers are intact. If so, it encrypts the challenge from the dial-in
client and sends it back in a
The RADIUS client may initiate a second phase of authentication using optional add-in security modules, which are small pieces of code ...