Challenge Handshake Authentication Protocol (CHAP)

Questions and Answers

A RADIUS server sends an Access Reject message if a user's credentials are not valid.

True

Access Challenge is a message sent from a RADIUS server to a RADIUS client if the server requires additional information from a user.

True

Access Accept is sent from a RADIUS server to a client if a user's credentials are invalid.

False

TACACS+ is an open-source networking protocol developed by CISCO.

False

TACACS+ combines authentication, authorization, and accounting services into one.

False

RADIUS encrypts the entire content of each AAA packet.

False

TACACS+ can be used to authenticate only users, not devices.

False

TACACS+ uses TCP port 49 for communication.

True

A TACACS+ server contains authentication information only for users, not devices.

False

A TACACS+ client can be a Network Access Server (NAS).

True

Study Notes

Authentication Protocols

• CHAP is an authentication protocol that uses a shared secret to authenticate a client to a server over a point-to-point connection.
• CHAP periodically re-authenticates a client during a communication session.
• CHAP uses a three-way handshake protocol involving a server, client, and shared secret.

CHAP Process

• A server sends a randomly generated challenge string to a client.
• The client combines the server's challenge string with a secret shared with the server.
• The client computes the hash value of the combined string and sends the hash value to the server.
• The server compares the hash value received from the client with the server's own calculated hash value.

Kerberos

• Kerberos is an authentication protocol that uses a ticket-based mechanism to authenticate a user and enable access to a network service.
• Kerberos uses UDP port 88 by default.
• Kerberos is the default authentication protocol in Windows Server 2019.
• A Kerberos realm is a network that uses Kerberos authentication.
• A Kerberos authentication involves three entities: Server, Client, and Key Distribution Center (KDC).

EAP (Extensible Authentication Protocol)

• EAP supports multiple authentication methods, including certificate-based, password-based, and multi-factor authentication.
• EAP defines the format of authentication messages.
• Four EAP message types exist: EAP Request, EAP Response, EAP Success, and EAP Failure.

EAP Authentication Methods

• EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) uses TLS and certificates for mutual authentication.
• EAP-TLS requires both a server and a client certificate.
• EAP-FAST (Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling) uses a Protected Access Credential (PAC) to establish a TLS tunnel.

RADIUS (Remote Authentication Dial-In User Service)

• A RADIUS server validates a user's credentials using an authentication protocol such as CHAP.
• RADIUS server responses: Access Reject, Access Challenge, and Access Accept.
• If a user is successfully authenticated, the RADIUS server grants access to authorized network resources.

TACACS+ (Terminal Access Controller Access-Control System Plus)

• TACACS+ is a proprietary networking protocol developed by CISCO for centralized Authentication, Authorization, and Accounting (AAA) services.
• TACACS+ separates authentication, authorization, and accounting services.
• TACACS+ can be used to authenticate a user or a device.
• TACACS+ uses TCP port 49.
• Unlike RADIUS, TACACS+ encrypts the entire content of each AAA packet.

Description

Learn about the Challenge Handshake Authentication Protocol (CHAP) which uses a shared secret to authenticate clients to servers over point-to-point connections. Understand how CHAP periodically re-authenticates clients and employs a three-way handshake protocol.