Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
291292293294295296297298299300
4-50
Firewall
User Authentication
4. The RADIUS server performs a one-way hash on its own request and
compares this value with the client’s response.
If the values don’t match, the RADIUS server either:
sends an Access-Reject packet, and the NAS denies access to the user.
sends another Access-Challenge packet.
If the values match, the RADIUS server sends an Access-Accept packet,
and the NAS allows the user to access the network.
Some advantages and disadvantages of CHAP are listed in Table 4-4.
Table 4-4. Advantages and Disadvantages of CHAP
MS-CHAP. The TMS zl Module supports MS-CHAPv2 for RADIUS authenti-
cation, which is incompatible with, though similar to, MS-CHAPv1.
MS-CHAPv2 is compatible with both Windows XP and Windows Vista, the two
most current Microsoft operating systems.
MS-CHAP works in the same way as CHAP, with a few exceptions:
The RADIUS, or authenticator, does not need to store a plaintext version
of the secret, so the secret can be irreversibly encrypted.
It includes a Change-Password packet that allows the client to change the
password on the account that’s being authenticated.
It always defines a reason for failure in the Access-Reject packet.
PAP. PAP uses a two-way handshake to authenticate uses. The CHAP authen-
tication process is shown in detail below.
Advantages Disadvantages
Prevents playback attacks by
incrementally changing the identifier and
challenge values.
Both the client and the server must know
the secret, but the secret is never sent
over the line.
The shared secret must be in plain text, so
you cannot use irreversibly encrypted
passwords.