Monday, May 12, 2008
CHAP, SPAP, and PAP authentication methods
CHAP The Challenge Handshake Authentication Protocol (CHAP) is a challenge/response authentication protocol that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response. CHAP is used by various vendors of network access servers and clients. A server running Routing and Remote Access supports CHAP so that remote access clients that require CHAP are authenticated. Because CHAP requires the use of a reversibly encrypted password, you should consider using another authentication protocol such as Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 2. Note • If your password expires, CHAP cannot change passwords during the authentication process. • You cannot use Microsoft Point-to-Point Encryption (MPPE) with CHAP. SPAP The Shiva Password Authentication Protocol (SPAP) is a reversible encryption mechanism employed by Shiva. When a computer running Windows XP Professional connects to a Shiva LAN Rover, it uses SPAP, as does a Shiva client that connects to a server running Routing and Remote Access. This form of authentication is more secure than plaintext but less secure than CHAP or MS-CHAP. Important• When you enable SPAP as an authentication protocol, the same user password is always sent in the same reversibly encrypted form. This makes SPAP authentication susceptible to replay attacks, where an attacker captures the packets of the authentication process and replays the responses to gain authenticated access to your intranet. The use of SPAP is discouraged, especially for virtual private network connections. Note • If your password expires, SPAP cannot change passwords during the authentication process. • Make sure your network access server (NAS) supports SPAP before you enable it on a remote access policy on an Internet Authentication Service (IAS) server. • You cannot use Microsoft Point-to-Point Encryption (MPPE) with SPAP. PAP Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication protocol. It is typically negotiated if the remote access client and remote access server cannot negotiate a more secure form of validation. To enable PAP-based authentication, you must do the following: 1. Enable PAP as an authentication protocol on the remote access server. PAP is disabled by default. 2. Enable PAP on the appropriate remote access policy. PAP is disabled by default. 3. Enable PAP on the remote access client. Note • By disabling PAP on ISA Server, plaintext passwords are never sent by the dial-up client. Disabling support for PAP increases authentication security, but remote VPN clients who only support PAP cannot connect. • If your password expires, PAP cannot change passwords during the authentication process. • You cannot use Microsoft Point-to-Point Encryption (MPPE) with PAP.