RADIUS CHAP PAP Authentication Schemes

A digest authentication scheme reads an encrypted user attribute string that is stored in a directory. The scheme then compares the string to the encrypted string it receives from the user. If the encrypted strings match, the Policy Server authenticates the user. The comparison of the encrypted strings occurs without using an encrypted transmission.
sm1252sp1
A digest authentication scheme reads an encrypted user attribute string that is stored in a directory. The scheme then compares the string to the encrypted string it receives from the user. If the encrypted strings match, the Policy Server authenticates the user. The comparison of the encrypted strings occurs without using an encrypted transmission.
The following digest authentication schemes are available:
  • RADIUS CHAP
  • RADIUS PAP
2
PAP Overview
The Password Authentication Protocol (PAP) provides a simple method for a user to authenticate using a two-way handshake. PAP only executes this process during the initial link to the authenticating server. A user machine repeatedly sends an Id/Password pair to the authenticating server until authentication is acknowledged or the connection is terminated.
Use PAP authentication where a plain text password must be available to simulate a login at a remote host. This method provides a similar level of security to the usual user login at the remote host.
CHAP Overview
CHAP (Challenge-Handshake Authentication Protocol) is a more secure authentication scheme than PAP. In a CHAP scheme, the following process establishes a user identity:
  1. After the link between the user machine and the authenticating server is made, the server sends a challenge message to the connection requester. The requester responds with a value obtained by using a one-way hash function.
  2. The server checks the response by comparing it against its own calculation of the expected hash value.
  3. If the values match, the authentication is acknowledged; otherwise the connection is terminated.
At any time, the server can request the connected party to send a new challenge message. CHAP identifiers are changed frequently and the server can make an authentication request at any time. CHAP provides more security than PAP.
RADIUS CHAP PAP Scheme Overview
The RADIUS CHAP/PAP scheme authenticates users by computing the digest of a user password. The Policy Server then compares the digest to the CHAP password in the RADIUS packet. The digest consists of the hashed password, which is calculated using a directory attribute. This attribute is specified during the configuration of the RADIUS CHAP/PAP authentication scheme.
RADIUS CHAP PAP Scheme Prerequisites
Meet the following prerequisites before configuring a RADIUS CHAP/PAP authentication scheme:
  • The field in the user directory that is specified for the clear text password contains a value.
  • The Policy Server is not operating in FIPS–only mode. If the Policy Server is operating in FIPS–only mode, a RADIUS CHAP/PAP authentication scheme is not supported.
Configure a RADIUS CHAP PAP Authentication Scheme
Use a RADIUS CHAP/PAP authentication scheme when you are using the RADIUS protocol.
The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
Follow these steps:
  1. Click Infrastructure, Authentication.
  2. Click Authentication Schemes.
  3. Click Create Authentication Scheme.
  4. Verify that the Create a new object of type Authentication Scheme is selected.
  5. Click OK.
  6. Enter a name and protection level.
  7. Select RADIUS CHAP/PAP Template from the Authentication Scheme Type list.
  8. Specify the clear text password in Scheme Setup section.
  9. Click Submit.
The authentication scheme is saved. You can now assign it to a realm.
RADIUS Server Authentication Schemes
The RADIUS protocol is supported by letting the Policy Server act as the RADIUS server. A NAS client acts as the RADIUS client. RADIUS Agents let the Policy Server communicate with the NAS client devices. In the RADIUS server authentication scheme, the Policy Server is attached to the protected network.
This scheme accepts user name and password as credentials. Multiple instances of this scheme can be defined. This scheme does not interpret RADIUS attributes that are returned by the RADIUS server in the authentication response.
RADIUS Server Scheme Prerequisites
Complete the following prerequisites before configuring a RADIUS server authentication scheme:
  • The RADIUS server is on a network accessible by the Policy Server.
  • The Policy Server is not operating in FIPS–only mode. If the Policy Server is operating in FIPS–only mode, a RADIUS Server authentication scheme is not supported.
Configure a RADIUS Server Authentication Scheme
Use a RADIUS Server authentication scheme when the Policy Server is acting as a RADIUS Server and a NAS client as a RADIUS client.
The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
Follow these steps:
  1. Click Infrastructure, Authentication.
  2. Click Authentication Schemes.
  3. Click Create Authentication Scheme.
  4. Verify that the Create a new object of type Authentication Scheme is selected.
  5. Click OK.
  6. Enter a name and a protection level.
  7. Select RADIUS Server Template from the Authentication Scheme Type list.
  8. Enter the RADIUS server IP address, port number, and shared secret in Scheme Setup.
  9. Click Submit.
The authentication scheme is saved. You can assign it to a realm.