Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
291292293294295296297298299300
4-49
Firewall
User Authentication
Figure 4-31. CHAP Handshake
The steps of the handshake are as follows:
1. The client sends a request for access to the NAS, which translates it into
an Access-Request packet and sends it to the RADIUS server.
An Access-Request packet has the following fields:
Username
Password
•NAS port
•NAS ID
Note The field NAS-Identifier is only sent for CHAP and MS-CHAP authentica-
tion requests (not for PAP requests).
2. The RADIUS server determines whether the user’s credentials are valid.
It can consider any or all of the submitted credentials when determining
validity.
If the credentials are invalid, the RADIUS server sends an Access-Reject
packet.
If the credentials are valid, the RADIUS sends an Access-Challenge
packet. The NAS generates a 16-octet challenge value and sends it to the
client.
3. The client resubmits its request for access with a new identifier and a
challenge response value, calculated with a one-way hash function. The
NAS translates this information and forwards it to the RADIUS server.