Peer radius
---- -------------
|
<- EAP-Request/Identity
|
EAP-Response/
Identity (MyID) ->
|
|
|
<- EAP-Request/
EAP-Type=EAP MS-CHAP-V2
(Challenge[16])
|
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Response)->
16 octets: Peer-Challenge
8 octets: Reserved, must be zero
24 octets: NT-Response
1 octet : Flags
|
|
|
<- EAP-Request/
EAP-Type=EAP-MS-CHAP-V2
(Success)
S=<auth_string> M=<message>"
<auth_string>
GenerateAuthenticatorResponse( Password, NTResponse, PeerChallenge,
AuthenticatorChallenge, UserName,AuthenticatorResponses );
GenerateAuthenticatorResponse()
GenerateAuthenticatorResponse(
IN 0-to-256-unicode-char Password,
IN 24-octet NT-Response,
IN 16-octet PeerChallenge,
IN 16-octet AuthenticatorChallenge,
IN 0-to-256-char UserName,
OUT 42-octet AuthenticatorResponse )
{
16-octet PasswordHash
16-octet PasswordHashHash
8-octet Challenge
/*
* "Magic" constants used in response generation
*/
Magic1[39] =
{0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74};
Magic2[41] =
{0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
0x6E};
/*
* Hash the password with MD4
*/
NtPasswordHash( Password, giving PasswordHash )
/*
* Now hash the hash
*/
HashNtPasswordHash( PasswordHash, giving PasswordHashHash)
SHAInit(Context)
SHAUpdate(Context, PasswordHashHash, 16)
SHAUpdate(Context, NTResponse, 24)
SHAUpdate(Context, Magic1, 39)
SHAFinal(Context, Digest)
ChallengeHash( PeerChallenge, AuthenticatorChallenge, UserName,
giving Challenge)
SHAInit(Context)
SHAUpdate(Context, Digest, 20)
SHAUpdate(Context, Challenge, 8)
SHAUpdate(Context, Magic2, 41)
SHAFinal(Context, Digest)
/*
* Encode the value of 'Digest' as "S=" followed by
* 40 ASCII hexadecimal digits and return it in
* AuthenticatorResponse.
* For example,
* "S=0123456789ABCDEF0123456789ABCDEF01234567"
*/
}
|
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Success) ->
|
|
|
<- EAP-Success
|
In the case where the EAP MS-CHAP-V2 authentication is unsuccessful, due
to a retryable error, the conversation will appear as follows (assuming
a maximum of two retries):
Peer Authenticator
---- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=EAP MS-CHAP-V2
(Challenge)
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Response)->
<- EAP-Request/
EAP-Type=EAP-MS-CHAP-V2
(Failure, R=1)
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Response) ->
<- EAP-Request/
EAP-Type=EAP-MS-CHAP-V2
(Failure, R=1)