Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
351352353354355356357358359360
4-51
Firewall
User Authentication
Table 4-8. Advantages and Disadvantages of CHAP
MS-CHAP. The TMS zl Module supports MS-CHAPv2 for RADIUS authenti-
cation, which is incompatible with, though similar to, MS-CHAPv1.
MS-CHAPv2 is compatible with Windows 7, Vista, and XP.
MS-CHAP works in the same way as CHAP, with a few exceptions:
The RADIUS, or authenticator, does not need to store a plaintext version
of the secret, so the secret can be irreversibly encrypted.
It includes a Change-Password packet that allows the client to change the
password on the account that’s being authenticated.
It always defines a reason for failure in the Access-Reject packet.
PAP. PAP uses a two-way handshake to authenticate uses. The CHAP authen-
tication process is shown in detail below.
Figure 4-31. PAP Handshake
The PAP handshake process is as follows:
1. The client sends a request to the NAS. The NAS translates the packet and
forwards it to the RADIUS server. This packet includes only a username
and password.
Advantages Disadvantages
Prevents playback attacks by
incrementally changing the identifier and
challenge values.
Both the client and the server must know
the secret, but the secret is never sent
over the line.
The shared secret must be in plain text, so
you cannot use irreversibly encrypted
passwords.