TMS zl Management and Configuration Guide ST.1.2.100916
4-50
Firewall
User Authentication
The steps of the handshake are as follows:
1. The client sends a request for access to the NAS, which translates it into
an Access-Request packet and sends it to the RADIUS server.
An Access-Request packet has the following fields:
• Username (up to 64 characters on the TMS zl Module)
• Password (up to 64 characters on the TMS zl Module)
• NAS port
•NAS ID
Note The field NAS-Identifier is only sent for CHAP and MS-CHAP authentica-
tion requests (not for PAP requests).
2. The RADIUS server determines whether the user’s credentials are valid.
It can consider any or all of the submitted credentials when determining
validity.
If the credentials are invalid, the RADIUS server sends an Access-Reject
packet.
If the credentials are valid, the RADIUS sends an Access-Challenge
packet. The NAS generates a 16-octet challenge value and sends it to the
client.
3. The client resubmits its request for access with a new identifier and a
challenge response value, calculated with a one-way hash function. The
NAS translates this information and forwards it to the RADIUS server.
4. The RADIUS server performs a one-way hash on its own request and
compares this value with the client’s response.
If the values don’t match, the RADIUS server either:
• sends an Access-Reject packet, and the NAS denies access to the user.
• sends another Access-Challenge packet.
If the values match, the RADIUS server sends an Access-Accept packet,
and the NAS allows the user to access the network.
Some advantages and disadvantages of CHAP are listed in Table 4-8.