Introduction to AAA Server
RADIUS Overview
Chapter 16
which can calculate the correct response. The NAS will then forward
the challenge and the response in the Access-Request, which the
AAA server will use to authenticate the user.
• Microsoft Challenge-Handshake Authentication Protocol
(MS-CHAP) is an implementation of the CHAP protocol that
Microsoft created to authenticate remote Windows workstations. In
most respects, MS-CHAP is identical to CHAP, but there are some
differences. MS-CHAP is based on the encryption and hashing
algorithms used by Windows networks, and the MS-CHAP response
to a challenge is in a format optimized for compatibility with
Windows operating systems.
• Extensible Authentication Protocol (EAP) Like CHAP, EAP is a
more secure authentication protocol to establish a PPP connection
than PAP and offers more flexibility to handle authentication
requests with different encryption algorithms. It allows
authentication by encapsulating various types of authentication
exchanges, such as MD5. These EAP messages can be encapsulated
in the packets of other protocols, such as RADIUS, for compatibility
with a wide range of authentication mechanisms. This flexibility also
allows EAP to be implemented in a way (LEAP, for example) that is
more suitable for wireless and mobile environments than other
authentication protocols. EAP allows authentication to take place
directly between the user and server without the intervention by the
access device that occurs with CHAP.
NOTE EAP/TLS and EAP/TTLS functionality is not supported in the
HP-UX AAA Server A.06.00.
RADIUS Data Packets
The Access-Request and other RADIUS data packets contain a header
and a set of attribute-value (A-V) pairs, which are used by the server
during the AAA transaction. The RADIUS RFC 2865 defines how
vendors can extend the protocol. Encapsulation is the RFC defined way
of extending RADIUS. Conflicts can occur when the RFC is not followed.
In those cases, the server can map the attributes to unique internal
values for processing. For a full description of RADIUS attribute-value
pairs, see the Administrator’s Guide.
