RADIUS ServerPAP & CHAP Protocols

Computer Security

In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

Authentication :

Refers to confirmation that a user who is requesting a service is a valid user.

Examples of credentials are passwords, one-time tokens, digital certificates, and phone numbers (calling/called).

Authorization :

Refers to the granting of specific types of service (including "no service") to a user, based on their authentication.

Examples of services : IP address filtering, encryption, bandwidth control/traffic management.

Accounting :

Refers to the tracking of the consumption of network resources by users.

May be used for management, planning, billing etc.

AAA server provides all the above services to its clients.

AAA Protocols

Terminal Access Controller Access Control System (TACACS)

TACACS+

Remote Authentication Dial In User Service(RADIUS)

DIAMETER :Diameter is a planned replacement of RADIUS.

RADIUS Server

The Remote Authentication Dial-In User Service (RADIUS) protocol was developed by Livingston Enterprises, Inc., as an access server authentication and accounting protocol.

RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server.

Uses PAP, CHAP or EAP protocols to authenticate users.

Look in text file, LDAP Servers, Database for authentication.

After authentication services parameters passed back to NAS.

RADIUS infrastructure components

Functions..

Communication between a network access server (NAS) and a RADIUS server is based on the User Datagram Protocol (UDP).

RADIUS server handles issues related to server availability, retransmission, and timeouts.

RADIUS is a client/server protocol

A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.

Interaction between a user and the RADIUS client and server

Authentication and Authorization

The RADIUS server can support a variety of methods to authenticate a user.

PAP

The Password Authentication Protocol (PAP) provides a simple method for a user to authenticate using a 2-way handshake.

PAP is used by Point to Point Protocol to validate users before allowing them access to server resources.

PAP transmits unencrypted ASCII passwords over the network and is therefore considered insecure.

Working of PAP

CHAP

Challenge-Handshake Authentication Protocol is a more secure procedure for connecting to a system than the Password Authentication Procedure (PAP).

It involves a three-way exchange of a shared secret. During link establishment, CHAP conducts periodic challenges to make sure that the remote host still has a valid password value.

While PAP basically stops working once authentication is established, this leaves the network vulnerable to attack.

Working of CHAP

Advantages

CHAP provides protection against playback attack by using different challenge value that is unique and comes in random. Because the challenge is unique and unpredictable, the resulting hash value is also unique and random. Which makes it difficult for ‘guessing’.

The use of repeated and different challenges, limits the time of exposure to any single attack.

PAP vs CHAP

PAP is in clear text. It mostly refers to providing a password to an account. The password gets thru the wire. It is vulnerable to sniffing cause whoever is listening would know the password.

CHAP, on the other hand, issues a challenge. The password never actually makes it thru the wire but a question is asked.

References

http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/12433-32.html

http://www.orbit-computer-solutions.com/Challenge-Handshake-Authentication-Protocol--CHAP-.php

http://www.orbit-computer-solutions.com/Password-Authentication-Protocol--PAP-.php

Thank You..

Contact : dhananjay5315@gmail.com