


	More Testimonials >

Visit my blog for free daily Cisco CCNA and CCNP certification questions, my latest free articles and tutorials, and more!

CompTIA Network + Exam Training:

Intro To CHAP, PAP, MS-CHAP, TACACS, And RADIUS

By Chris Bryant, CCIE #12933

In this CompTIA Network + Exam tutorial, you'll be introduced to CHAP, PAP, and MS-CHAP. You'll also get a brief but important introduction to AAA, TACACS, and RADIUS.

All three of these are security protocols that run over the Point-to-Point Protocol (PPP). The Password Authentication Protocol (PAP) has a major security issue in that the password is sent over the connection in clear text, making it easy to read if a packet is successfully intercepted.

The Challenge Handshake Authentication Protocol (CHAP) prevents this by choosing a random number to run a hash algorithm against the password. The random number and the result of that hash are then sent to the remote router, so the password itself is never exposed. If someone with a network sniffer managed to pick a packet off the cable between the endpoints, the only thing they'd be able to see is an unrecognizable and undecipherable bunch of numbers, letters, and symbols.

Password before hashing: "password"

Password after hashing: "y7riu3i&32"

The hash result shown there is a possible result, not the result. Hashing a password makes it virtually impossible to decipher.

In our discussion of TCP, you learned that TCP uses a three-way handshake. The "handshake" in CHAP is also a three-way handshake, but the "challenge" part makes this process just a bit different. Let's walk through a sample CHAP process.

A client wants to connect to a server, so the client sends a logon request. Instead of just saying "okay", the server will respond with a challenge.

CHAP Challenge

The client will now run an algorithm against the challenge value, and sends the result of that hash back to the server.

Answer To Challenge

The server will take that response value and match it against its own hash calculation. If the values match, the client will be authenticated. If the values do not match, the client's authentication attempt is denied.

As you progress in your career and your studies, you'll find that companies such as Microsoft and Cisco occasionally like to make their own versions of popular services and protocols. Microsoft did just that with MS-CHAP, and I'm sure I don't have to tell you what the MS stands for!

MS-CHAP is available in two versions, Version 1 and Version 2. Version 1 is scheduled to be eliminated in Microsoft Vista. Some key details about MS-CHAP:

The two versions are incompatible.
MS-CHAP version 2 requires mutual authentication, where each device authenticates the other. Version 1 does not offer mutual authentication.

RADIUS (Remote Authentication Dial-In User Service) and TACACS (Terminal Access Controller Access Control System) are both AAA protocols, bringing Authentication, Authorization, and Accounting to networks. Before we examine RADIUS and TACACS, let's define each of the "three As".

Authentication simply asks the question, "Should I let you into the network in the first place?"

AAA Authentication

Authorization is the process of denying or permitting a client permission to do something on the network, such as accessing a file.

AAA Authorization

Accounting is the process of tracking a user's time, possibly for internal billing purposes. For example, if a user from the Security department is accessing servers or bandwidth allocated to the Accounting department, the Security user's activities could be tracked to allow the Accounting department to bill the Security department for the time that user was using the Accounting department's resources.

AAA Accounting

TACACS is rarely if ever seen anymore - it's been replaced largely by RADIUS and TACACS+. TACACS+ is not compatible with TACACS.

There are some key differences between TACACS+ and RADIUS:

RADIUS runs on UDP, TACACS+ on TCP, giving TACACS+ the benefit of TCP's guaranteed delivery.

In the initial access-request packet, RADIUS encrypts only the password while TACACS+ encrypts all contents of the packet.

RADIUS combines the authentication and authorization features of AAA, making it difficult if not impossible to run one without running the other. TACACS+ does not combine authentication and authorization.

There's a lot more to AAA, RADIUS, and TACACS+ than you see here. These are all very important security protocols in today's networks, so once you earn your Network + certification, I recommend you learn more about these protocols. Best of luck in your studies!

I'm Now Bringing You The Best In Network+ 2009 Certification Exam Training !

Visit My New Website That's Dedicated To Your Network+ Certification...

http://www.networkpluscertification.com !

Plenty Of Free Network+ 2009 Videos, Practice Exams, Fully-Illustrated Tutorials, and More!

And If You Just Can't Wait For My Network+ 2009 Study Package And Exclusive Webinars, Click This Image To Learn More About This Great CBT From My Friends At Trainsignal!

(I Didn't Create It, But It's Still Good! ;) )