


	More Testimonials >

Visit my blog for free daily Cisco CCNA and CCNP certification questions, my latest free articles and tutorials, and more!

CompTIA Network + Exam Training:

Intro To CHAP, PAP, MS-CHAP, TACACS, And RADIUS

By Chris Bryant, CCIE #12933

In this CompTIA Network + Exam tutorial, you'll be introduced to CHAP, PAP, and MS-CHAP. You'll also get a brief but important introduction to AAA, TACACS, and RADIUS.

All three of these are security protocols that run over the Point-to-Point Protocol (PPP). The Password Authentication Protocol (PAP) has a major security issue in that the password is sent over the connection in clear text, making it easy to read if a packet is successfully intercepted.

The Challenge Handshake Authentication Protocol (CHAP) prevents this by choosing a random number to run a hash algorithm against the password. The random number and the result of that hash are then sent to the remote router, so the password itself is never exposed. If someone with a network sniffer managed to pick a packet off the cable between the endpoints, the only thing they'd be able to see is an unrecognizable and undecipherable bunch of numbers, letters, and symbols.

Password before hashing: "password"

Password after hashing: "y7riu3i&32"

The hash result shown there is a possible result, not the result. Hashing a password makes it virtually impossible to decipher.

In our discussion of TCP, you learned that TCP uses a three-way handshake. The "handshake" in CHAP is also a three-way handshake, but the "challenge" part makes this process just a bit different. Let's walk through a sample CHAP process.

A client wants to connect to a server, so the client sends a logon request. Instead of just saying "okay", the server will respond with a challenge.

CHAP Challenge

The client will now run an algorithm against the challenge value, and sends the result of that hash back to the server.

Answer To Challenge

The server will take that response value and match it against its own hash calculation. If the values match, the client will be authenticated. If the values do not match, the client's authentication attempt is denied.

As you progress in your career and your studies, you'll find that companies such as Microsoft and Cisco occasionally like to make their own versions of popular services and protocols. Microsoft did just that with MS-CHAP, and I'm sure I don't have to tell you what the MS stands for!

MS-CHAP is available in two versions, Version 1 and Version 2. Version 1 is scheduled to be eliminated in Microsoft Vista. Some key details about MS-CHAP:

The two versions are incompatible.
MS-CHAP version 2 requires mutual authentication, where each device authenticates the other. Version 1 does not offer mutual authentication.

RADIUS (Remote Authentication Dial-In User Service) and TACACS (Terminal Access Controller Access Control System) are both AAA protocols, bringing Authentication, Authorization, and Accounting to networks. Before we examine RADIUS and TACACS, let's define each of the "three As".

Authentication simply asks the question, "Should I let you into the network in the first place?"

AAA Authentication

Authorization is the process of denying or permitting a client permission to do something on the network, such as accessing a file.

AAA Authorization

Accounting is the process of tracking a user's time, possibly for internal billing purposes. For example, if a user from the Security department is accessing servers or bandwidth allocated to the Accounting department, the Security user's activities could be tracked to allow the Accounting department to bill the Security department for the time that user was using the Accounting department's resources.

AAA Accounting

TACACS is rarely if ever seen anymore - it's been replaced largely by RADIUS and TACACS+. TACACS+ is not compatible with TACACS.

There are some key differences between TACACS+ and RADIUS:

RADIUS runs on UDP, TACACS+ on TCP, giving TACACS+ the benefit of TCP's guaranteed delivery.

In the initial access-request packet, RADIUS encrypts only the password while TACACS+ encrypts all contents of the packet.

RADIUS combines the authentication and authorization features of AAA, making it difficult if not impossible to run one without running the other. TACACS+ does not combine authentication and authorization.

There's a lot more to AAA, RADIUS, and TACACS+ than you see here. These are all very important security protocols in today's networks, so once you earn your Network + certification, I recommend you learn more about these protocols. Best of luck in your studies!

Join The Parade Of Successful Network+ Candidates Who Earned Their Certifications With My Exclusive Network+ Study Package and My CompTIA-Certified Network+ Video Boot Camp!

That's right, My Network+ Video Boot Camp has been certified with the CompTIA Authorized Quality Curriculum seal - that's as good as it gets!

CompTIA Network+ AQC Seal

"Chris, I passed the CompTIA Network+ certification exam this morning.I don't think I would have passed it without your help. Thank you for a great video! -- Gene Frazier, Network+ Certified!

"Hi There Chris: I just wanted to THANK YOU SOOOOO MUCH for the great Network+ CD that I purchased from you. Thanks to you I passed the exam today and I just couldn't wait to get home and e-mail you. I have failed it a few times in the past especially by reading books only and it never worked.

I think you do an excellent job on the training and you explain things so well. Thanks again and keep up the great training because the next exam I choose to take will definitely come from a Train Signal CD taught by you!" -- Charlene Fyda, Network+ Certified!