Re: How does IAS authenticate using Active Directory

From: Sam Salhi [MSFT] (samers_at_online.microsoft.com)
Date: 11/24/04

  • Next message: Sam Salhi [MSFT]: "Re: Refreshing Encryption Keys with WPA" 
    Date: Wed, 24 Nov 2004 09:22:39 -0800

    It's well documented how the password is transmitted. Once IAS gets that, it
    uses that password to authenticate the users

    from RFC2865:
    For CHAP, the NAS generates a random challenge (preferably 16 octets)
       and sends it to the user, who returns a CHAP response along with a
       CHAP ID and CHAP username. The NAS then sends an Access-Request
       packet to the RADIUS server with the CHAP username as the User-Name
       and with the CHAP ID and CHAP response as the CHAP-Password
       (Attribute 3). The random challenge can either be included in the
       CHAP-Challenge attribute or, if it is 16 octets long, it can be
       placed in the Request Authenticator field of the Access-Request
       packet. The NAS MAY include the Attributes Service-Type = Framed-
       User and Framed-Protocol = PPP as a hint to the RADIUS server that
       PPP service is expected.

       The RADIUS server looks up a password based on the User-Name,
       encrypts the challenge using MD5 on the CHAP ID octet, that password,
       and the CHAP challenge (from the CHAP-Challenge attribute if present,
       otherwise from the Request Authenticator), and compares that result
       to the CHAP-Password. If they match, the server sends back an
       Access-Accept, otherwise it sends back an Access-Reject.

    In other words, the RADIUS server MUST have the password at hand to
    authenticate the user. in both cases.
    (in pap Radius has the actual password, in chap, Radius uses the hash, which
    it uses to compare with the hash it knows) 

    -- 
      =============================================
  This posting is provided "AS IS" with no warranties, and confers no rights
Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using and 
troubleshooting RADIUS using IAS"
This chat will help you resolve all of your RADIUS/IAS issues. You can ask 
about RADIUS, IAS, 802.1x, Active directory configuration and Certificate 
services, related to IAS and RADIUS
Follow this link to join the chat
http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
      =============================================
"Andrew" <abartlem@vasco.com> wrote in message 
news:774cf399.0411231303.22e219a8@posting.google.com...
> So how does IAS verify PAP and CHAP?
>
>
> "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message 
> news:<u3MSNhT0EHA.3972@TK2MSFTNGP12.phx.gbl>...
>> IAS doesn't directly need the password (with the exception being PAP and
>> CHAP) to validate the password
>> The way it's done in MSCHAP
>> MS-CHAP-V2 is enabled by negotiating CHAP Algorithm 0x81 in LCP
>>       option 3, Authentication Protocol.
>>
>>    *  MS-CHAP-V2 provides mutual authentication between peers by
>>       piggybacking a peer challenge on the Response packet and an
>>       authenticator response on the Success packet.
>>
>>    *  The calculation of the "Windows NT compatible challenge response"
>>       sub-field in the Response packet has been changed to include the
>>       peer challenge and the user name.
>>
>>    *  In MS-CHAP-V1, the "LAN Manager compatible challenge response"
>>       sub-field was always sent in the Response packet.  This field has
>>       been replaced in MS-CHAP-V2 by the Peer-Challenge field.
>>
>> -- 
>>       =============================================
>>   This posting is provided "AS IS" with no warranties, and confers no 
>> rights
>>
>> Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using 
>> and
>> troubleshooting RADIUS using IAS"
>> This chat will help you resolve all of your RADIUS/IAS issues. You can 
>> ask
>> about RADIUS, IAS, 802.1x, Active directory configuration and Certificate
>> services, related to IAS and RADIUS
>> Follow this link to join the chat
>> http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
>>       =============================================
>>
>> "Andrew" <abartlem@vasco.com> wrote in message
>> news:774cf399.0411222237.10475cf9@posting.google.com...
>> >I think I am confused.  I thought that you needed the password (or
>> > hash) to validate the RADIUS request ie MS-CHAP is a one-way hash.
>> >
>> > If IAS does not have the user's password, how does IAS verify the
>> > RADIUS request? (ie what function would it use?)
>> >
>> >
>> >
>> > "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
>> > news:<OsISNyL0EHA.2600@TK2MSFTNGP09.phx.gbl>...
>> >> IAS gets it from the access request. munged with some other stuff. IAS
>> >> will
>> >> decrypt it and use it
>> >>
>> >>
>> >> -- 
>> >>       =============================================
>> >>   This posting is provided "AS IS" with no warranties, and confers no
>> >> rights
>> >>
>> >> Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on 
>> >> "Using
>> >> and
>> >> troubleshooting RADIUS using IAS"
>> >> This chat will help you resolve all of your RADIUS/IAS issues. You can
>> >> ask
>> >> about RADIUS, IAS, 802.1x, Active directory configuration and 
>> >> Certificate
>> >> services, related to IAS and RADIUS
>> >> Follow this link to join the chat
>> >> http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
>> >>       =============================================
>> >>
>> >> "Andrew" <abartlem@vasco.com> wrote in message
>> >> news:774cf399.0411211708.5430fa9f@posting.google.com...
>> >> > okay,
>> >> > but where/how does IAS get the user's password hash?
>> >> >
>> >> > Andrew
>> >> >
>> >> >
>> >> > "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
>> >> > news:<#HoYWwhzEHA.3408@tk2msftngp13.phx.gbl>...
>> >> >> With the exception of PAP, IAS doesn't know the password, or gets 
>> >> >> the
>> >> >> password back from AD,
>> >> >> It's normally the hash of the password
>> >> >>
>> >> >>
  • Next message: Sam Salhi [MSFT]: "Re: Refreshing Encryption Keys with WPA"

    Relevant Pages