📄 draft-kamath-pppext-eap-mschapv2-00.txt
字号:
INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002 [RFC2759], Section 8.12.Peer-Challenge The Peer-Challenge field is 16 octets in length, and contains a 16-octet random quantity, as described in the Response packet description.Reserved 8 octets, must be zero.NT-Response The NT-Response field is 24 octets in length and is as described in the Response packet description. However it is calculated on the new password and the challenge received in the Failure packet.Flags The Flags field is two octets in length. It is a bit field of option flags where 0 is the least significant bit of the 16-bit quantity. The format of this field is illustrated in the following diagram: 1 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Bits 0-15 Reserved, always clear (0).2.8. Alternative failure behaviorRather than sending a Failure Request as described in Section 2.5, ifthe error is non-retryable (e.g. R=0), or if the maximum number ofretries has been exhausted, then the Authenticator MAY terminate theauthentication conversation. Where EAP MS-CHAP-V2 is running standalone(e.g. without PEAP), this will result in transmission of an EAP Failuremessage to the authenticator. Since EAP Failure packets do not carryadditional data, no error message may be transmitted to the peer.2.9. Known bugsIn Windows XP SP1, Failure Request packets are only sent where the erroris retryable (R=1). Rather than sending a Failure Request with a non-retryable error (R=0), a Windows XP SP1 authenticator will terminateKamath & Palekar Informational [Page 17]INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002authentication. This is undesirable, because it prevents non-retryableerror messages from being received by the peer. A Windows XP SP1 host,on receiving a Failure Request packet with a non-retryable error (R=0),will silently discard the packet.Since a Windows XP SP1 peer will respond to a retryable (R=1) FailureRequest by retrying authentication (such as by sending a Response orChange-Password packet), and non-retryable (R=0) Failure Requests aresilently discarded, Windows XP SP1 peers do not send Failure Responsepackets. If a Windows XP SP1 authenticator receives a Failure Responsepacket, it will be silently discarded.3. Normative references[RFC1320] Rivest, R., "MD4 Message Digest Algorithm", RFC 1320, April 1992.[RFC1994] Simpson, W., "PPP Challenge Handshake Authentication Protocol (CHAP)", RFC 1994, August 1996.[RFC1750] Eastlake, D., Crocker, S. and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994.[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.[RFC2284] Blunk, L., Vollbrecht, J., "PPP Extensible Authentication Protocol (EAP)", RFC 2284, March 1998.[RFC2433] Zorn, G. and Cobb, S., "Microsoft PPP CHAP Extensions", RFC 2433, October 1998.[RFC2484] Zorn, G., "PPP LCP Internationalization Configuration Option", RFC 2484, January 1999.[RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", RFC 2759, January 2000.[RC4] RC4 is a proprietary encryption algorithm available under license from RSA Data Security Inc. For licensing information, contact: RSA Data Security, Inc. 100 Marine Parkway Redwood City, CA 94065-1031[IEEE8021X] IEEE Standards for Local and Metropolitan Area Networks: Port Based Network Access Control, IEEE Std 802.1X-2001, June 2001.Kamath & Palekar Informational [Page 18]INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002[SHA1] "Secure Hash Standard", Federal Information Processing Standards Publication 180-1, National Institute of Standards and Technology, April 1995.[UNICODE] "The Unicode Standard, Version 2.0", The Unicode Consortium, Addison-Wesley, 1996. ISBN 0-201-48345-9.4. Informative references[RFC1570] Simpson, W., Editor, "PPP LCP Extensions", RFC 1570, January 1994.[RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994.[DES] "Data Encryption Standard (DES)", Federal Information Processing Standard Publication 46-2, National Institute of Standards and Technology, December 1993.[DESMODES] "DES Modes of Operation", Federal Information Processing Standards Publication 81, National Institute of Standards and Technology, December 1980.[RFC3079] Zorn, G., "Deriving Keys for use with Microsoft Point-to-Point Encryption (MPPE)", RFC 3079, March 2001.Kamath & Palekar Informational [Page 19]INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002Appendix A - ExamplesIn the case where the EAP-MS-CHAP-V2 authentication is successful, theconversation will appear as follows:Peer Authenticator---- ------------- <- EAP-Request/IdentityEAP-Response/Identity (MyID) -> <- EAP-Request/ EAP-Type=EAP MS-CHAP-V2 (Challenge)EAP-Response/EAP-Type=EAP-MS-CHAP-V2(Response)-> <- EAP-Request/ EAP-Type=EAP-MS-CHAP-V2 (Success)EAP-Response/EAP-Type=EAP-MS-CHAP-V2(Success) -> <- EAP-SuccessIn the case where the EAP MS-CHAP-V2 authentication is unsuccessful, dueto a retryable error, the conversation will appear as follows (assuminga maximum of two retries):Peer Authenticator---- ------------- <- EAP-Request/IdentityEAP-Response/Identity (MyID) -> <- EAP-Request/ EAP-Type=EAP MS-CHAP-V2 (Challenge)EAP-Response/EAP-Type=EAP-MS-CHAP-V2(Response)-> <- EAP-Request/ EAP-Type=EAP-MS-CHAP-V2 (Failure, R=1)EAP-Response/EAP-Type=EAP-MS-CHAP-V2(Response) -> <- EAP-Request/ EAP-Type=EAP-MS-CHAP-V2 (Failure, R=1)Kamath & Palekar Informational [Page 20]INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002EAP-Response/EAP-Type=EAP-MS-CHAP-V2(Response) -> <- EAP-FailureIn the case where the EAP MS-CHAP-V2 authentication is unsuccessful, dueto a non-retryable error, the conversation will appear as follows(Windows XP SP1):Peer Authenticator---- ------------- <- EAP-Request/IdentityEAP-Response/Identity (MyID) -> <- EAP-Request/ EAP-Type=EAP MS-CHAP-V2 (Challenge)EAP-Response/EAP-Type=EAP-MS-CHAP-V2(Response)-> <- EAP-FailureIn the case where the EAP MS-CHAP-V2 authentication is unsuccessful, dueto a non-retryable error, and a Failure Request packet is sent, theconversation will appear as follows (behavior not exhibited by WindowsXP SP1):Peer Authenticator---- ------------- <- EAP-Request/IdentityEAP-Response/Identity (MyID) -> <- EAP-Request/ EAP-Type=EAP MS-CHAP-V2 (Challenge)EAP-Response/EAP-Type=EAP-MS-CHAP-V2(Response)-> <- EAP-Request/ EAP-Type=EAP MS-CHAP-V2 (Failure, R=0)EAP-Response/EAP-Type=EAP-MS-CHAP-V2(Failure)-> <- EAP-FailureIn the case where the EAP MS-CHAP-V2 authentication is initiallyKamath & Palekar Informational [Page 21]INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002unsuccessful due to password expiration, but the subsequent ChangePassword operation succeeds, the conversation will appear as follows:Peer Authenticator---- ------------- <- EAP-Request/IdentityEAP-Response/Identity (MyID) -> <- EAP-Request/ EAP-Type=EAP MS-CHAP-V2 (Challenge)EAP-Response/EAP-Type=EAP-MS-CHAP-V2(Response)-> <- EAP-Request/ EAP-Type=MS-CHAP-V2 (Failure, R=1, Message=ERROR_PASSWD_EXPIRED (E=648))EAP-Response/EAP-Type=EAP-MS-CHAP-V2(Change-Password) -> <- EAP-Request/ EAP-Type=MS-CHAP-V2 (Success)EAP-Response/EAP-Type=EAP-MS-CHAP-V2(Success) -> <- EAP-SuccessIn the case where the EAP MS-CHAP-V2 authentication is unnsuccessful dueto password failure and a successful retry occurs, the conversationappears as follows:Peer Authenticator---- ------------- <- EAP-Request/IdentityEAP-Response/Identity (MyID) -> <- EAP-Request/ EAP-Type=EAP MS-CHAP-V2 (Challenge)EAP-Response/EAP-Type=EAP-MS-CHAP-V2(Response)-> <- EAP-Request/ EAP-Type=MS-CHAP-V2 (Failure, R=1, Message=ERROR_AUTHENTICATION_FAILURE (E=691)Kamath & Palekar Informational [Page 22]INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002EAP-Response/EAP-Type=EAP-MS-CHAP-V2(Response)-> <- EAP-Request/ EAP-Type=MS-CHAP-V2 (Success)EAP-Response/EAP-Type=EAP-MS-CHAP-V2(Success) -> <- EAP-SuccessAcknowledgmentsThanks to Mark Wodrich and Narendra Gidwani of Microsoft for discussionsrelating to this document.Authors' AddressesVivek KamathAshwin PalekarMicrosoft CorporationOne Microsoft WayRedmond, WA 98052EMail: {vivek, ashwinp}@microsoft.comPhone: +1 425 882 8080Fax: +1 425 936 7329Full Copyright StatementCopyright (C) The Internet Society (2002). All Rights Reserved.This document and translations of it may be copied and furnished toothers, and derivative works that comment on or otherwise explain it orassist in its implementation may be prepared, copied, published anddistributed, in whole or in part, without restriction of any kind,provided that the above copyright notice and this paragraph are includedon all such copies and derivative works. However, this document itselfmay not be modified in any way, such as by removing the copyright noticeor references to the Internet Society or other Internet organizations,except as needed for the purpose of developing Internet standards inwhich case the procedures for copyrights defined in the InternetStandards process must be followed, or as required to translate it intolanguages other than English. The limited permissions granted above areperpetual and will not be revoked by the Internet Society or itssuccessors or assigns. This document and the information containedherein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THEKamath & Palekar Informational [Page 23]INTERNET-DRAFT EAP MS-CHAPv2 2 September 2002INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIEDWARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."Expiration DateThis memo is filed as <draft-kamath-pppext-eap-mschapv2-00.txt>, andexpires March 19, 2003.Kamath & Palekar Informational [Page 24]⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -