What are the differences between Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP)? Why is CHAP unable to be used with the NT database?
A. PAP sends passwords in the clear between the user and the TACACS+ or RADIUS client or device. If the password is correct, the authentication is acknowledged. Otherwise, the connection is terminated. CHAP sends a challenge message to the remote user. The remote user responds with a value that calculates with the use of a one-way hash function. The client or device checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged. Otherwise, the connection is terminated. Passwords are not sent in the clear. CHAP cannot be used with the NT database because of the CHAP RFC (1994) requirement. It states: “CHAP requires that the secret be available in plaintext form. Irreversibly encrypted password databases commonly available cannot be used.” This generally precludes the use of the NT database for CHAP, with Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) as an option. Microsoft offers a hotfix that can pro
Related Questions
- What are the differences between Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP)? Why is CHAP unable to be used with the NT database?
- Can I use Challenge Handshake Authentication Protocol (CHAP) authentication with a Security Dynamics Incorporated (SDI) ACE server?
- What is CHAP (Challenge Handshake Authentication protocol)?
