When implementing RADIUS and TACACS+, authentication protocols may be used in conjunction with the system. You have learned about a few of the remote authentication protocols available. Let’s talk about three more that are used in remote authentication: PAP, CHAP, and MS-CHAP.

Password Authentication Protocol (PAP) is a data-link protocol that provides authentication over PPP. Point-to-Point Protocol (PPP) allows an Internet connection to occur over a phone line. Transmission of TCP/IP traffic over telephone lines is available through PPP. PAP provides identification and authentication of users when using a remote server to access a network. PAP establishes identification with a peer, using a two-way handshake. The authentication server receives a user ID and password from the client after the establishment of a link. These credentials are sent in cleartext, creating a security risk. The authentication server database compares credentials with those that are already in the system.

Standardization of Challenge Handshake Authentication Protocol (CHAP) occurred in 1996 and is defined in RFC 1994. CHAP provides authentication over PPP. A three-way handshake is used to verify the identity of the client. Description of the handshake is as follows:

1. The authenticator sends a challenge message to the client when the link is established. This challenge is unique to the session.
2. The client responds with a value. This value was created using a one-way hash function on combined fields of the challenge.
3. The authenticator compares the response with the value of its own calculation of the hash. If the values match, authentication occurs. If the values do not match, the connection is terminated.

Microsoft created its own version of the CHAP protocol, known as Microsoft CHAP or MS-CHAP. MS-CHAP is used only in Microsoft-centric applications and comes in two different versions: MS-CHAPv1 and MS-CHAPv2. However, both of these protocols rely on the now insecure Data Encryption Standard (DES) and should no longer be used unless the communications are otherwise encrypted.

TABLE 10-2 compares PAP, CHAP, and MS-CHAPv2.