RFC 2759 (rfc2759) - Page 3 of 20
Microsoft PPP CHAP Extensions, Version 2
Alternative Format: Original Text Document
RFC 2759 Microsoft MS-CHAP-V2 January 2000
1. Introduction
Where possible, MS-CHAP-V2 is consistent with both MS-CHAP-V1 and
standard CHAP. Briefly, the differences between MS-CHAP-V2 and MS-
CHAP-V1 are:
* MS-CHAP-V2 is enabled by negotiating CHAP Algorithm 0x81 in LCP
option 3, Authentication Protocol.
* MS-CHAP-V2 provides mutual authentication between peers by
piggybacking a peer challenge on the Response packet and an
authenticator response on the Success packet.
* The calculation of the "Windows NT compatible challenge response"
sub-field in the Response packet has been changed to include the
peer challenge and the user name.
* In MS-CHAP-V1, the "LAN Manager compatible challenge response"
sub-field was always sent in the Response packet. This field has
been replaced in MS-CHAP-V2 by the Peer-Challenge field.
* The format of the Message field in the Failure packet has been
changed.
* The Change Password (version 1) and Change Password (version 2)
packets are no longer supported. They have been replaced with a
single Change-Password packet.
2. LCP Configuration
The LCP configuration for MS-CHAP-V2 is identical to that for
standard CHAP, except that the Algorithm field has value 0x81, rather
than the MD5 value 0x05. PPP implementations which do not support
MS-CHAP-V2, but correctly implement LCP Config-Rej, should have no
problem dealing with this non-standard option.
3. Challenge Packet
The MS-CHAP-V2 Challenge packet is identical in format to the
standard CHAP Challenge packet.
MS-CHAP-V2 authenticators send an 16-octet challenge Value field.
Peers need not duplicate Microsoft's algorithm for selecting the 16-
octet value, but the standard guidelines on randomness [1,2,7] SHOULD
be observed.
Microsoft authenticators do not currently provide information in the
Name field. This may change in the future.
Zorn Informational