Name
CHAP-Password
Synopsis
Attribute Number |
3 |
Length |
19 |
Value |
STRING |
Allowed in |
Access-Request |
Prohibited in |
Access-Accept, Access-Reject, Access-Challenge |
Presence in Packet |
Required, unless User-Password is present |
Maximum Iterations |
1 |
CHAP-Password
indicates to the RADIUS client
gear
that CHAP, instead of PAP, is going
to be used for the transaction.
Of particular interest regarding CHAP-Password
is
the structure of the attribute, which is different than most of the
other attributes. The CHAP-Password
attribute is
structured much like the vendor-specific AVP passed within the
standard Vendor-Specific
attribute, number 26.
This abnormal structure is due to the additional data collected in a
CHAP transaction that needs to be passed between the two parties.
Let’s take a closer look.
The CHAP identifier, a one-octet value that the RADIUS client gear assigned, is placed in the first octet of the attribute’s value field. The response, effectively the CHAP password, completes the rest of the value field.
The RADIUS RFC requires that the User-Password
and
the CHAP-Password
attributes be mutually
exclusive, but one or the other is required in any transaction at all
times.
How does the CHAP-Password
attribute affect the RADIUS transaction? The sequence is this: a dial-up client connects to an ISP’s NAS gear, which in turn issues a CHAP ID and sends it back to the client. The client generates a response to this challenge and places the response in the password ...
Get RADIUS now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.