peap-MS-CHAP-V2

Peer                                   radius

----                                    -------------

 

 

<- EAP-Request/Identity

EAP-Response/

Identity (MyID) ->

 

 

 

<- EAP-Request/

                          EAP-Type=EAP MS-CHAP-V2

                          (Challenge[16])

 

EAP-Response/

EAP-Type=EAP-MS-CHAP-V2

(Response)->

16 octets: Peer-Challenge

8 octets: Reserved, must be zero

24 octets: NT-Response

1 octet : Flags

 

 

 

<- EAP-Request/

                          EAP-Type=EAP-MS-CHAP-V2

                          (Success)

S=<auth_string> M=<message>"

 

<auth_string>

 

GenerateAuthenticatorResponse(  Password,  NTResponse, PeerChallenge, 

AuthenticatorChallenge, UserName,AuthenticatorResponses );

 

GenerateAuthenticatorResponse()

 

   GenerateAuthenticatorResponse(

   IN  0-to-256-unicode-char Password,

   IN  24-octet              NT-Response,

   IN  16-octet              PeerChallenge,

   IN  16-octet              AuthenticatorChallenge,

   IN  0-to-256-char         UserName,

   OUT 42-octet              AuthenticatorResponse )

   {

      16-octet              PasswordHash

      16-octet              PasswordHashHash

      8-octet               Challenge

 

      /*

       * "Magic" constants used in response generation

       */

 

      Magic1[39] =

         {0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,

          0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,

          0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,

          0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74};

 

      Magic2[41] =

         {0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,

          0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,

          0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,

          0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,

          0x6E};

 

      /*

       * Hash the password with MD4

       */

 

      NtPasswordHash( Password, giving PasswordHash )

 

      /*

       * Now hash the hash

       */

 

      HashNtPasswordHash( PasswordHash, giving PasswordHashHash)

 

      SHAInit(Context)

      SHAUpdate(Context, PasswordHashHash, 16)

      SHAUpdate(Context, NTResponse, 24)

      SHAUpdate(Context, Magic1, 39)

      SHAFinal(Context, Digest)

 

      ChallengeHash( PeerChallenge, AuthenticatorChallenge, UserName,

                     giving Challenge)

 

      SHAInit(Context)

      SHAUpdate(Context, Digest, 20)

      SHAUpdate(Context, Challenge, 8)

      SHAUpdate(Context, Magic2, 41)

      SHAFinal(Context, Digest)

 

      /*

       * Encode the value of 'Digest' as "S=" followed by

       * 40 ASCII hexadecimal digits and return it in

       * AuthenticatorResponse.

       * For example,

       *   "S=0123456789ABCDEF0123456789ABCDEF01234567"

       */

 

   }

 

EAP-Response/

EAP-Type=EAP-MS-CHAP-V2

(Success) ->

 

 

 

<- EAP-Success

 

 

 

 

 

In the case where the EAP MS-CHAP-V2 authentication is unsuccessful, due

to a retryable error, the conversation will appear as follows (assuming

a maximum of two retries):

 

 

Peer                   Authenticator

----                   -------------

                       <- EAP-Request/Identity

EAP-Response/

Identity (MyID) ->

                       <- EAP-Request/

                          EAP-Type=EAP MS-CHAP-V2

                          (Challenge)

EAP-Response/

EAP-Type=EAP-MS-CHAP-V2

(Response)->

                       <- EAP-Request/

                          EAP-Type=EAP-MS-CHAP-V2

                         (Failure, R=1)

EAP-Response/

EAP-Type=EAP-MS-CHAP-V2

(Response) ->

                       <- EAP-Request/

                          EAP-Type=EAP-MS-CHAP-V2

                         (Failure, R=1)

 

posted @ 2010-06-28 17:22  ahuo  阅读(677)  评论(0编辑  收藏  举报