draft-kamath-pppext-eap-mschapv2-00.txt
来自「linux 下通过802.1认证的安装包」· 文本 代码 · 共 1,441 行 · 第 1/3 页
TXT
1,441 行
INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002
[RFC2759], Section 8.12.
Peer-Challenge
The Peer-Challenge field is 16 octets in length, and contains a
16-octet random quantity, as described in the Response packet
description.
Reserved
8 octets, must be zero.
NT-Response
The NT-Response field is 24 octets in length and is as described in
the Response packet description. However it is calculated on the new
password and the challenge received in the Failure packet.
Flags
The Flags field is two octets in length. It is a bit field of option
flags where 0 is the least significant bit of the 16-bit quantity.
The format of this field is illustrated in the following diagram:
1
5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Bits 0-15
Reserved, always clear (0).
2.8. Alternative failure behavior
Rather than sending a Failure Request as described in Section 2.5, if
the error is non-retryable (e.g. R=0), or if the maximum number of
retries has been exhausted, then the Authenticator MAY terminate the
authentication conversation. Where EAP MS-CHAP-V2 is running standalone
(e.g. without PEAP), this will result in transmission of an EAP Failure
message to the authenticator. Since EAP Failure packets do not carry
additional data, no error message may be transmitted to the peer.
2.9. Known bugs
In Windows XP SP1, Failure Request packets are only sent where the error
is retryable (R=1). Rather than sending a Failure Request with a non-
retryable error (R=0), a Windows XP SP1 authenticator will terminate
Kamath & Palekar Informational [Page 17]
INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002
authentication. This is undesirable, because it prevents non-retryable
error messages from being received by the peer. A Windows XP SP1 host,
on receiving a Failure Request packet with a non-retryable error (R=0),
will silently discard the packet.
Since a Windows XP SP1 peer will respond to a retryable (R=1) Failure
Request by retrying authentication (such as by sending a Response or
Change-Password packet), and non-retryable (R=0) Failure Requests are
silently discarded, Windows XP SP1 peers do not send Failure Response
packets. If a Windows XP SP1 authenticator receives a Failure Response
packet, it will be silently discarded.
3. Normative references
[RFC1320] Rivest, R., "MD4 Message Digest Algorithm", RFC 1320, April
1992.
[RFC1994] Simpson, W., "PPP Challenge Handshake Authentication Protocol
(CHAP)", RFC 1994, August 1996.
[RFC1750] Eastlake, D., Crocker, S. and J. Schiller, "Randomness
Recommendations for Security", RFC 1750, December 1994.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2284] Blunk, L., Vollbrecht, J., "PPP Extensible Authentication
Protocol (EAP)", RFC 2284, March 1998.
[RFC2433] Zorn, G. and Cobb, S., "Microsoft PPP CHAP Extensions", RFC
2433, October 1998.
[RFC2484] Zorn, G., "PPP LCP Internationalization Configuration Option",
RFC 2484, January 1999.
[RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", RFC
2759, January 2000.
[RC4] RC4 is a proprietary encryption algorithm available under
license from RSA Data Security Inc. For licensing
information, contact:
RSA Data Security, Inc.
100 Marine Parkway
Redwood City, CA 94065-1031
[IEEE8021X]
IEEE Standards for Local and Metropolitan Area Networks: Port
Based Network Access Control, IEEE Std 802.1X-2001, June 2001.
Kamath & Palekar Informational [Page 18]
INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002
[SHA1] "Secure Hash Standard", Federal Information Processing
Standards Publication 180-1, National Institute of Standards
and Technology, April 1995.
[UNICODE] "The Unicode Standard, Version 2.0", The Unicode Consortium,
Addison-Wesley, 1996. ISBN 0-201-48345-9.
4. Informative references
[RFC1570] Simpson, W., Editor, "PPP LCP Extensions", RFC 1570, January
1994.
[RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC
1661, July 1994.
[DES] "Data Encryption Standard (DES)", Federal Information
Processing Standard Publication 46-2, National Institute of
Standards and Technology, December 1993.
[DESMODES]
"DES Modes of Operation", Federal Information Processing
Standards Publication 81, National Institute of Standards and
Technology, December 1980.
[RFC3079] Zorn, G., "Deriving Keys for use with Microsoft Point-to-Point
Encryption (MPPE)", RFC 3079, March 2001.
Kamath & Palekar Informational [Page 19]
INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002
Appendix A - Examples
In the case where the EAP-MS-CHAP-V2 authentication is successful, the
conversation will appear as follows:
Peer Authenticator
---- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=EAP MS-CHAP-V2
(Challenge)
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Response)->
<- EAP-Request/
EAP-Type=EAP-MS-CHAP-V2
(Success)
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Success) ->
<- EAP-Success
In the case where the EAP MS-CHAP-V2 authentication is unsuccessful, due
to a retryable error, the conversation will appear as follows (assuming
a maximum of two retries):
Peer Authenticator
---- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=EAP MS-CHAP-V2
(Challenge)
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Response)->
<- EAP-Request/
EAP-Type=EAP-MS-CHAP-V2
(Failure, R=1)
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Response) ->
<- EAP-Request/
EAP-Type=EAP-MS-CHAP-V2
(Failure, R=1)
Kamath & Palekar Informational [Page 20]
INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Response) ->
<- EAP-Failure
In the case where the EAP MS-CHAP-V2 authentication is unsuccessful, due
to a non-retryable error, the conversation will appear as follows
(Windows XP SP1):
Peer Authenticator
---- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=EAP MS-CHAP-V2
(Challenge)
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Response)->
<- EAP-Failure
In the case where the EAP MS-CHAP-V2 authentication is unsuccessful, due
to a non-retryable error, and a Failure Request packet is sent, the
conversation will appear as follows (behavior not exhibited by Windows
XP SP1):
Peer Authenticator
---- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=EAP MS-CHAP-V2
(Challenge)
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Response)->
<- EAP-Request/
EAP-Type=EAP MS-CHAP-V2
(Failure, R=0)
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Failure)->
<- EAP-Failure
In the case where the EAP MS-CHAP-V2 authentication is initially
Kamath & Palekar Informational [Page 21]
INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002
unsuccessful due to password expiration, but the subsequent Change
Password operation succeeds, the conversation will appear as follows:
Peer Authenticator
---- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=EAP MS-CHAP-V2
(Challenge)
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Response)->
<- EAP-Request/
EAP-Type=MS-CHAP-V2
(Failure, R=1,
Message=ERROR_PASSWD_EXPIRED (E=648))
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Change-Password) ->
<- EAP-Request/
EAP-Type=MS-CHAP-V2
(Success)
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Success) ->
<- EAP-Success
In the case where the EAP MS-CHAP-V2 authentication is unnsuccessful due
to password failure and a successful retry occurs, the conversation
appears as follows:
Peer Authenticator
---- -------------
<- EAP-Request/Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=EAP MS-CHAP-V2
(Challenge)
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Response)->
<- EAP-Request/
EAP-Type=MS-CHAP-V2
(Failure, R=1,
Message=ERROR_AUTHENTICATION_FAILURE (E=691)
Kamath & Palekar Informational [Page 22]
INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Response)->
<- EAP-Request/
EAP-Type=MS-CHAP-V2
(Success)
EAP-Response/
EAP-Type=EAP-MS-CHAP-V2
(Success) ->
<- EAP-Success
Acknowledgments
Thanks to Mark Wodrich and Narendra Gidwani of Microsoft for discussions
relating to this document.
Authors' Addresses
Vivek Kamath
Ashwin Palekar
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
EMail: {vivek, ashwinp}@microsoft.com
Phone: +1 425 882 8080
Fax: +1 425 936 7329
Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it or
assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are included
on all such copies and derivative works. However, this document itself
may not be modified in any way, such as by removing the copyright notice
or references to the Internet Society or other Internet organizations,
except as needed for the purpose of developing Internet standards in
which case the procedures for copyrights defined in the Internet
Standards process must be followed, or as required to translate it into
languages other than English. The limited permissions granted above are
perpetual and will not be revoked by the Internet Society or its
successors or assigns. This document and the information contained
herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
Kamath & Palekar Informational [Page 23]
INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
Expiration Date
This memo is filed as <draft-kamath-pppext-eap-mschapv2-00.txt>, and
expires March 19, 2003.
Kamath & Palekar Informational [Page 24]
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?