One-way and Two-way PPP CHAP Authentications

Publication Date:  2012-07-27 Views:  63 Downloads:  4
Issue Description

The challenge packet of one-way chap authentication does not contain user_name, but that of two-way chap authentication does;
that is, both challenge and response packets in two-way chap authentication contain user_name.


Alarm Information
Handling Process

In one-way chap authentication, the server transmits challenge packet first, at which point, the packet does not contain user_name; when the client echoes it with response packet, user_name is contain at the end of packet. The server looks up the corresponding username and password in local-host or radius according to user_name carried in response packet from the client; if it is correct, it returns success packet.
In two-way chap authentication, the server transmits challenge packet with user_name (take itself as client) contained at its end, and the following both response and success packets are the same to these in one-way chap authentication. However, since it is two-way chap authentication, both the server and client transmit challenge packet simultaneously and mutually. Noticeably, the user_names contained in both challenge and response packets sent by the same side are the same.
For results of packet capturing, see the attachment.



Root Cause
For Huawei’s routers, username is not case sensitive in local pap and chap authentication, but the password is.