📄 rfc2548.txt
字号:
NT-Old-Password (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ NT-Old-Password (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ NT-Old-Password (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | NT-New-Password +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ NT-New-Password (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ NT-New-Password (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ NT-New-Password (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | New-LM-Password-Length | Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Vendor-Type 3 for MS-CHAP-PW-1 Vendor-Length 72 Code The Code field is one octet in length. Its value is always 5.Zorn Informational [Page 7]RFC 2548 Microsoft Vendor-specific RADIUS Attributes March 1999 Ident The Ident field is one octet and aids in matching requests and replies. LM-Old-Password The LM-Old-Password field is 16 octets in length. It contains the encrypted Lan Manager hash of the old password. LM-New-Password The LM-New-Password field is 16 octets in length. It contains the encrypted Lan Manager hash of the new password. NT-Old-Password The NT-Old-Password field is 16 octets in length. It contains the encrypted Lan Manager hash of the old password. NT-New-Password The NT-New-Password field is 16 octets in length. It contains the encrypted Lan Manager hash of the new password. New-LM-Password-Length The New-LM-Password-Length field is two octets in length and contains the length in octets of the new LAN Manager-compatible password. Flags The Flags field is two octets in length. If the least significant bit of the Flags field is one, this indicates that the NT-New- Password and NT-Old-Password fields are valid and SHOULD be used. Otherwise, the LM-New-Password and LM-Old-Password fields MUST be used.2.1.7. MS-CHAP-CPW-2 Description This Attribute allows the user to change their password if it has expired. This Attribute is only used in Access-Request packets, and should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is equal to 2. A summary of the MS-CHAP-CPW-2 Attribute format is shown below. The fields are transmitted from left to right.Zorn Informational [Page 8]RFC 2548 Microsoft Vendor-specific RADIUS Attributes March 1999 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-Type | Vendor-Length | Code | Ident | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Old-NT-Hash +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Old-NT-Hash (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Old-NT-Hash (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Old-NT-Hash (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Old-LM-Hash +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Old-LM-Hash(cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Old-LM-Hash(cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Old-LM-Hash(cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LM-Response +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ LM-Response (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ LM-Response (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ LM-Response (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ LM-Response (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ LM-Response (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | NT-Response +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--++-+-+-+-+-+-+-+-+-+-+-+-+ NT-Response (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--++-+-+-+-+-+-+-+-+-+-+-+ NT-Response (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ NT-Response (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ NT-Response (cont) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ NT-Response (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Zorn Informational [Page 9]RFC 2548 Microsoft Vendor-specific RADIUS Attributes March 1999 Vendor-Type 4 for MS-CHAP-PW-2 Vendor-Length 86 Code 6 Ident The Ident field is one octet and aids in matching requests and replies. The value of this field MUST be identical to that in the Ident field in all instances of the MS-CHAP-LM-Enc-PW, MS-CHAP-NT- Enc-PW and MS-CHAP-PW-2 attributes contained in a single Access- Request packet. Old-NT-Hash The Old-NT-Hash field is 16 octets in length. It contains the old Windows NT password hash encrypted with the new Windows NT password hash. Old-LM-Hash The Old-LM-Hash field is 16 octets in length. It contains the old Lan Manager password hash encrypted with the new Windows NT password hash. LM-Response The LM-Response field is 24 octets in length and holds an encoded function of the password and the received challenge. If this field is empty, it SHOULD be zero-filled. NT-Response The NT-Response field is 24 octets in length and holds an encoded function of the password and the received challenge. If this field is empty, it SHOULD be zero-filled. Flags The Flags field is two octets in length. If the least significant bit (bit 0) of this field is one, the NT-Response field is to be used in preference to the LM-Response field for authentication. The LM-Response field MAY still be used (if present), but the NT- Response SHOULD be tried first. If least significant bit of the field is zero, the NT-Response field MUST be ignored and the LM- Response field used instead. If bit 1 of the Flags field is one, the Old-LM-Hash field is valid and SHOULD be used. If this bit is set, at least one instance of the MS-CHAP-LM-Enc-PW attribute MUST be included in the packet.Zorn Informational [Page 10]RFC 2548 Microsoft Vendor-specific RADIUS Attributes March 19992.1.8. MS-CHAP-LM-Enc-PW Description This Attribute contains the new Windows NT password encrypted with the old LAN Manager password hash. The encrypted Windows NT password is 516 octets in length; since this is longer than the maximum lengtth of a RADIUS attribute, the password must be split into several attibutes for transmission. A 2 octet sequence number is included in the attribute to help preserve ordering of the password fragments. This Attribute is only used in Access-Request packets, in conjunction with the MS-CHAP-CPW-2 attribute. It should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is 2 or greater. A summary of the MS-CHAP-LM-Enc-PW Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-Type | Vendor-Length | Code | Ident | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence-Number | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Vendor-Type 5 for MS-CHAP-LM-Enc-PW Vendor-Length > 6 Code 6. Code is the same as for the MS-CHAP-PW-2 attribute. Ident The Ident field is one octet and aids in matching requests and replies. The value of this field MUST be identical in all instances of the MS-CHAP-LM-Enc-PW, MS-CHAP-NT-Enc-PW and MS- CHAP-PW-2 attributes which are present in the same Access-Request packet.Zorn Informational [Page 11]RFC 2548 Microsoft Vendor-specific RADIUS Attributes March 1999 Sequence-Number The Sequence-Number field is two octets in length and indicates which "chunk" of the encrypted password is contained in the following String field. String The String field contains a portion of the encrypted password.2.2. MS-CHAP-NT-Enc-PW Description This Attribute contains the new Windows NT password encrypted with the old Windows NT password hash. The encrypted Windows NT password is 516 octets in length; since this is longer than the maximum lengtth of a RADIUS attribute, the password must be split into several attibutes for transmission. A 2 octet sequence number is included in the attribute to help preserve ordering of the password fragments. This Attribute is only used in Access-Request packets, in conjunc- tion with the MS-CHAP-CPW-2 and MS-CHAP2-CPW attributes. It should only be included if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is 2 or greater. A summary of the MS-CHAP-NT-Enc-PW Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-Type | Vendor-Length | Code | Ident | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence-Number | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Vendor-Type 6 for MS-CHAP-NT-Enc-PW Vendor-Length > 6 Code 6. Code is the same as for the MS-CHAP-PW-2 attribute.Zorn Informational [Page 12]RFC 2548 Microsoft Vendor-specific RADIUS Attributes March 1999 Ident The Ident field is one octet and aids in matching requests and replies. The value of this field MUST be identical in all instances of the MS-CHAP-LM-Enc-PW, MS-CHAP-NT-Enc-PW and MS- CHAP-PW-2 attributes which are present in the same Access-Request packet. Sequence-Number The Sequence-Number field is two octets in length and indicates which "chunk" of the encrypted password is contained in the following String field. String The String field contains a portion of the encrypted password.2.3. Attributes for Support of MS-CHAP Version 22.3.1. Introduction This section describes RADIUS attributes supporting version two of Microsoft's PPP CHAP dialect (MS-CHAP-V2) [14]. MS-CHAP-V2 is similar to, but incompatible with, MS-CHAP version one (MS-CHAP-V1) [4]. Certain protocol fields have been deleted or reused but with different semantics. Where possible, MS-CHAP-V2 is consistent with both MS-CHAP-V1 and standard CHAP [1]. Briefly, the differences between MS-CHAP-V2 and MS-CHAP-V1 are: * MS-CHAP-V2 is enabled by negotiating CHAP Algorithm 0x81 in LCP option 3, Authentication Protocol. * MS-CHAP-V2 provides mutual authentication between peers by piggybacking a peer challenge on the Response packet and an authenticator response on the Success packet. * The calculation of the "Windows NT compatible challenge response" sub-field in the Response packet has been changed to include the peer challenge and the user name. * In MS-CHAP-V1, the "LAN Manager compatible challenge response" sub-field was always sent in the Response packet. This field has been replaced in MS-CHAP-V2 by the Peer-Challenge field. * The format of the Message field in the Failure packet has been changed. * The Change Password (version 1) and Change Password (version 2) packets are no longer supported. They have been replaced with a single Change-Password packet.Zorn Informational [Page 13]⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -