What is PAP? What is CHAP? What is realm authentication?
Anyone with a computer and a modem can dial into any ISP's modems and negotiate modem protocols to establish a "connection". But ISPs offer services only to paying customers or members, so before they let anyone start a tcp/ip session, they ask that each connection to identify itself with a username and password. This process is called authentication. There are three basic methods for logging onto a server: manual or scripted logins, PAP, and CHAP.
Manual and scripted logins are technically the same thing. First, the ISP's POP server (actually an high density modem card on the modem chassis rack) sends a text login prompt to the user's terminal. The user, or a script running and waiting for the login prompt, sends the username. The modem card responds with a password prompt (before actually checking the validity of the username). The user or script responds with the password, and the modem card takes that information and sends it to the RADIUS server (the ISP's database of usernames and passwords) for checking. If something doesn't match up, the modem card sends "Login failed" to the terminal, counts down one, and sends the login prompt again. After three failed attempts, the modem card disconnects the modem. The login prompt looks something like this:
CONNECT 49333/ARQ/V90/LAPM/V42BIS
arc-4b.sea login:
Once the username and password are checked and cleared, the modem card takes an IP from its available pool, packages it with other info like the modem card's IP (for the gateway) and the DNS servers, and sends it down the line to the user's computer to establish a PPP connection.
The exchange of data in manual logins is plain text. For a faster, more secure authentication, most ISP's use Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).
PAP works as follows: 1. After the link is established, the client sends a password and username to the server bundled as one LCP packet. 2. The server (the modem card in the modem racks) recognizes the packet as a PAP authentication request, and sends the data to the RADIUS server (the database of usernames and passwords). 3. RADIUS either validates the request and sends back an acknowledgement to the modem card, terminates the connection, or offers the client another chance. Passwords are sent as plain text. The difference between PAP authentication and a manual or scripted login, is that PAP is not interactive. The username and password are entered in the client's dialing software and sent as one data package as soon as the modems have established a connection, rather than the server sending a login prompt and waiting for a response.
CHAP is a more secure procedure for connecting to a system than PAP. Here's how CHAP works: 1. After the link is made, the server sends a challenge message to the client. The client responds with a value obtained by using a one-way hash function. 2. The server checks the response by comparing it its own calculation of the expected hash value. 3. If the values match, the authentication is acknowledged; otherwise the connection is terminated. At any time, the server can request the connected party to send a new challenge message. Because CHAP identifiers are changed frequently and because authentication can be requested by the server at any time, CHAP provides more security than PAP.
Some ISP's only recognize PAP authentication attempts. Actually, they recognize CHAP attempts, but choose to ignore them. The user chooses to attempt PAP or CHAP by selecting (or not selecting) "Require encrypted password." If this box is checked, they will not be able to authenticate on our servers.
Realm authentication is just a PAP attempt with the email address for the user id: user@domain. It's the many ISP's can tell which RADIUS server to send it to when they use 3rd party networks (like UUNet, Genuity's Dial-linx service, PSInet and others). Without realm, the 3rd party network would use it's own RADIUS because it assume's that you are their customer not the ISP leasing access to that 3rd party network. In the past, this was a source of much hardship. With Realm, the 3rd party networks can send the auth info directly to the ISP's RADIUS, or to any auth server that any other ISP that uses that network.
RADIUS, by the way, stands for "Remote Authentication Dial-In User Service". It is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. RADIUS allows a company to maintain user profiles in a central database that all remote servers can share. It provides better security, allowing a company to set up a policy that can be applied at a single administered network point. Having a central service also means that it's easier to track usage for billing and for keeping network statistics. Created by Livingston (now owned by Lucent), RADIUS is a de facto industry standard used by Ascend and other network product companies and is a proposed IETF standard.
.
|