📄 draft-kamath-pppext-eap-mschapv2-00.txt

📁 radius服务器
💻 TXT
📖 第 1 页 / 共 3 页
字号:
INTERNET-DRAFT                EAP MS-CHAPv2             2 September 2002   Whenever a Response packet is received, the authenticator compares   the Response Value with its own calculation of the expected value. If   the values match, then the authenticator MUST send a Success-Request   packet, as described in Section 2.3.  If the values do not match, and   if the error is retryable, then a Failure-Request packet MUST be sent   as described in Section 2.5. If the values do not match, and the   error is not retryable, then  a Failure-Request packet (described in   Section 2.5) SHOULD be sent, or alternatively, the authentication MAY   be  terminated (as described in Section 2.8) such as by sending an   EAP Failure.Name   The Name field is a string of 0 to (theoretically) 256 case-sensitive   ASCII characters which identifies the peer's user account name.  The   Windows NT domain name may prefix the user's account name (e.g.   BIGCO\johndoe where BIGCO is a Windows NT domain containing the user   account johndoe).  If a domain is not provided, the backslash should   also be omitted, (e.g. johndoe).  The Name SHOULD NOT be NUL or CR/LF   terminated.  The size of the Name field is determined from the Length   - Value-Size - 10.2.3.  Success Request packetIf the value received in the Response field of the EAP MS-CHAP-V2Response packet is equal to the expected value, then the implementationMUST transmit an EAP MS-CHAP-V2 Request packet with the OpCode field setto 3 (Success).The format of the EAP MS-CHAP-v2 Success Request packet is shown below.The fields are transmitted from left to right. 0                   1                   2                   3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|     Code      |   Identifier  |            Length             |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|     Type      |   OpCode      |  MS-CHAPv2-ID |  MS-Length...+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|   MS-Length   |                    Message...+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Code   1 - RequestKamath & Palekar              Informational                     [Page 9]INTERNET-DRAFT                EAP MS-CHAPv2             2 September 2002Identifier   The Identifier field is one octet.  The Identifier field MUST be the   same if a Request packet is retransmitted due to a timeout while   waiting for a Response.  Any new (non-retransmission) Requests MUST   modify the Identifier field.  If a peer receives a duplicate Request   for which it has already sent a Response, it MUST resend it's   Response.  If a peer receives a duplicate Request before it has sent   a Response to the initial Request (i.e. it's waiting for user input),   it MUST silently discard the duplicate Request.Length   The Length field is two octets and indicates the length of the EAP   packet including the Code, Identifier, Length, Type, OpCode, MS-   CHAPv2-ID, MS-Length, and Message fields.  Octets outside the range   of the Length field should be treated as Data Link Layer padding and   should be ignored on reception.Type   26 - EAP MS-CHAP-V2OpCode   3 - SuccessMS-CHAPv2-ID   The MS-CHAPv2-ID field is one octet and aids in matching MSCHAP-v2   responses with requests.  Typically, the MS-CHAPv2-ID field is the   same as the Identifier field.MS-Length   The MS-Length field is two octets and MUST be set to the value of the   Length field minus 5.Message   The Message field contains a 42-octet authenticator response string   and a printable message.  The format of the message field is   illustrated below.      "S=<auth_string> M=<message>"   The <auth_string> quantity is a 20 octet number encoded in ASCII as   40 hexadecimal digits.  The hexadecimal digits A-F (if present) MUSTKamath & Palekar              Informational                    [Page 10]INTERNET-DRAFT                EAP MS-CHAPv2             2 September 2002   be uppercase.  This number is derived from the challenge from the   Challenge packet, the Peer-Challenge and NT-Response fields from the   Response packet, and the peer password as output by the routine   GenerateAuthenticatorResponse() defined in [RFC2759], Section 8.7.   The authenticating peer MUST verify the authenticator response when a   Success packet is received.  The method for verifying the   authenticator is described in [RFC2759], section 8.8.  If the   authenticator response is either missing or incorrect, the peer MUST   end the session without sending a response.   The <message> quantity is human-readable text in the appropriate   charset and language [RFC2484].2.4.  Success Response packetIn the peer successfully validates the EAP MS-CHAP-V2 Success Requestpacket sent by the authenticator, then it MUST respond with an EAP MS-CHAP-V2 Success Response packet with the OpCode field set to 3(Success).The format of the EAP MS-CHAP-v2 Success Response packet is shown below.The fields are transmitted from left to right. 0                   1                   2                   3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|     Code      |   Identifier  |            Length             |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|     Type      |   OpCode      |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Code   2 - ResponseIdentifier   The Identifier field is one octet and contains the value included in   the EAP Request to which it responds.Length   6Kamath & Palekar              Informational                    [Page 11]INTERNET-DRAFT                EAP MS-CHAPv2             2 September 2002Type   26 - EAP MS-CHAP-V2OpCode   3 - Success2.5.  Failure Request packetIf the Value received in a Response is not equal to the expected value,and the error is retryable, then  the implementation MUST transmit anEAP MS-CHAP-v2 Request packet with the OpCode field set to 4 (Failure).If the error is not retryable, then the implementation SHOULD transmitan EAP MS-CHAP-v2 Failure Request packet, or it MAY terminate theauthentication (e.g. send an EAP Failure packet). The former approach ispreferable, since this enables the cause of the error to becommunicated.The format of the EAP MS-CHAP-v2 Failure Request packet is shown below.The fields are transmitted from left to right. 0                   1                   2                   3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|     Code      |   Identifier  |            Length             |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|     Type      |   OpCode      |  MS-CHAPv2-ID |  MS-Length...+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|   MS-Length   |                    Message...+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Code   1 - RequestIdentifier   The Identifier field is one octet.  The Identifier field MUST be the   same if a Request packet is retransmitted due to a timeout while   waiting for a Response.  Any new (non-retransmission) Requests MUST   modify the Identifier field.  If a peer receives a duplicate Request   for which it has already sent a Response, it MUST resend it's   Response.  If a peer receives a duplicate Request before it has sent   a Response to the initial Request (i.e. it's waiting for user input),   it MUST silently discard the duplicate Request.Kamath & Palekar              Informational                    [Page 12]INTERNET-DRAFT                EAP MS-CHAPv2             2 September 2002Length   The Length field is two octets and indicates the length of the EAP   packet including the Code, Identifier, Length, Type, OpCode, MS-   CHAPv2-ID, MS-Length, and Message fields.  Octets outside the range   of the Length field should be treated as Data Link Layer padding and   should be ignored on reception.Type   26 - EAP MS-CHAP-V2OpCode   4 - FailureMS-CHAPv2-ID   The MS-CHAPv2-ID field is one octet and aids in matching MSCHAP-v2   responses with requests. Typically, the MS-CHAPv2-ID field is the   same as the Identifier field.MS-Length   The MS-Length field is two octets and MUST be set to the value of the   Length field minus 5.Message   The Message field format is:     "E=eeeeeeeeee R=r C=cccccccccccccccccccccccccccccccc V=vvvvvvvvvv M=<msg>"   where   The "eeeeeeeeee" is the ASCII representation of a decimal error code   corresponding to one of those listed below, though implementations   should deal with codes not on this list gracefully. The error code   need not be 10 digits long.        646 ERROR_RESTRICTED_LOGON_HOURS        647 ERROR_ACCT_DISABLED        648 ERROR_PASSWD_EXPIRED        649 ERROR_NO_DIALIN_PERMISSION        691 ERROR_AUTHENTICATION_FAILURE        709 ERROR_CHANGING_PASSWORD   The "r" is a single character ASCII flag set to '1' if a retry isKamath & Palekar              Informational                    [Page 13]INTERNET-DRAFT                EAP MS-CHAPv2             2 September 2002   allowed, and '0' if not.  Typically, errors 646, 647, and 649 are   non-retryable (R=0). When the authenticator sets this flag to '1' it   disables short timeouts, expecting the peer to prompt the user for   new credentials and resubmit the response. The   "cccccccccccccccccccccccccccccccc" is the ASCII representation of a   hexadecimal challenge value.  This field MUST be exactly 32 octets   long and MUST be present.   The "vvvvvvvvvv" is the ASCII representation of a decimal version   code (need not be 10 digits) indicating the password changing   protocol version supported on the server.  For EAP MS-CHAP-V2, this   value MUSTalways be 3.   <msg> is human-readable text in the appropriate charset and language   [RFC2484].2.6.  Failure Response packetWhen the peer receives a Failure Request packet that is retryable (R=1),the authentication MAY be retried. For example, a new Response packet,or Change Password packet MAY be sent. In these cases a Failure Responsepacket is not sent.However, if the EAP MS-CHAPv2 Failure Request is non-retryable (R=0),then the peer SHOULD transmit an EAP MS-CHAP-v2 Response packet with theOpCode field set to 4 (Failure). The format of the EAP MS-CHAP-v2Failure Response packet is shown below. The fields are transmitted fromleft to right. 0                   1                   2                   3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|     Code      |   Identifier  |            Length             |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|     Type      |   OpCode      |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Code   2 - ResponseIdentifier   The Identifier field is one octet and contains the value included in   the EAP Request to which it responds.Kamath & Palekar              Informational                    [Page 14]INTERNET-DRAFT                EAP MS-CHAPv2             2 September 2002Length   6Type   26 - EAP MS-CHAP-V2OpCode   4 - Failure2.7.  Change-Password packetThe Change-Password packet does not appear in either standard CHAP orMS-CHAP-V1.  It allows the peer to change the password on the accountspecified in the preceding Response packet.  The Change-Password packetshould be sent only if the authenticator reports ERROR_PASSWD_EXPIRED(E=648) in the Message field of the Failure packet.The format of the EAP MS-CHAP-v2 Change Password packet is shown below.The fields are transmitted from left to right. 0                   1                   2                   3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|     Code      |   Identifier  |            Length             |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|     Type      |   OpCode      |  MS-CHAPv2-ID |  MS-Length...+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|   MS-Length   |                    Data...+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Code   2 - ResponseIdentifier   The Identifier field is one octet and aids in matching responses with   requests.  The value is the Identifier of the received Failure packet   to which this packet responds.Length   The Length field is two octets and indicates the length of the EAP   packet including the Code, Identifier, Length, Type, OpCode, MS-   CHAPv2-ID, MS-Length and Data  fields.  Octets outside the range ofKamath & Palekar              Informational                    [Page 15]INTERNET-DRAFT                EAP MS-CHAPv2             2 September 2002   the Length field should be treated as Data Link Layer padding and   should be ignored on reception. For the Change Password packet, the   length = 591.Type   26 - EAP MS-CHAP-V2OpCode   7 - Change PasswordMS-CHAPv2-ID   The MS-CHAPv2-ID field is one octet and aids in matching MSCHAP-v2   responses with requests.  Typically, the MS-CHAPv2-ID field is the   same as the Identifier field.MS-Length   The MS-Length field is two octets and MUST be set to the value of the   Length field minus 5.Data   The Data field is 582 octets in length, and is subdivided as follows:        516 octets : Encrypted-Password         16 octets : Encrypted-Hash         16 octets : Peer-Challenge          8 octets : Reserved         24 octets : NT-Response          2-octet  : FlagsEncrypted-Password   The Encrypted-Password field is 516 octets in length, and contains   the PWBLOCK form of the new Windows NT password encrypted with the   old Windows NT password hash, as output by the   NewPasswordEncryptedWithOldNtPasswordHash() routine defined in   [RFC2759], Section 8.9.Encrypted-Hash   The Encrypted-Hash field is 16 octets in length and contains the old   Windows NT password hash encrypted with the new Windows NT password   hash, as output by the   OldNtPasswordHashEncryptedWithNewNtPasswordHash() routine, defined inKamath & Palekar              Informational                    [Page 16]
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -