RFC 2548 (rfc2548) - Page 2 of 41

Microsoft Vendor-specific RADIUS Attributes

RFC 2548      Microsoft Vendor-specific RADIUS Attributes     March 1999


2.1.  Attributes for Support of MS-CHAP Version 1

2.1.1.  Introduction

   Microsoft created Microsoft Challenge-Handshake Authentication
   Protocol (MS-CHAP) [4] to authenticate remote Windows workstations,
   providing the functionality to which LAN-based users are accustomed.
   Where possible, MS-CHAP is consistent with standard CHAP [5], and the
   differences are easily modularized.  Briefly, the differences between
   MS-CHAP and standard CHAP are:

      * MS-CHAP is enabled by negotiating CHAP Algorithm 0x80 in LCP
        option 3, Authentication Protocol.

      * The MS-CHAP Response packet is in a format designed for
        compatibility with Microsoft Windows NT 3.5, 3.51 and 4.0,
        Microsoft Windows95, and Microsoft LAN Manager 2.x networking
        products.  The MS-CHAP format does not require the authenticator
        to store a clear-text or reversibly encrypted password.

      * MS-CHAP provides an authenticator-controlled authentication
        retry mechanism.

      * MS-CHAP provides an authenticator-controlled password changing
        mechanism.

      * MS-CHAP defines an extended  set of reason-for-failure codes,
        returned in the Failure packet Message field.

   The attributes defined in this section reflect these differences.

2.1.2.  MS-CHAP-Challenge

   Description

      This Attribute contains the challenge sent by a NAS to a Microsoft
      Challenge-Handshake Authentication Protocol (MS-CHAP) user.  It
      MAY be used in both Access-Request and Access-Challenge packets.

   A summary of the MS-CHAP-Challenge Attribute format is shown below.
   The fields are transmitted from left to right.










Zorn                         Informational