Internet DRAFT - draft-ietf-rfced-info-zorn
draft-ietf-rfced-info-zorn
HTTP/1.1 200 OK
Date: Tue, 09 Apr 2002 07:02:59 GMT
Server: Apache/1.3.20 (Unix)
Last-Modified: Thu, 23 Oct 1997 15:54:00 GMT
ETag: "304f16-837f-344f7318"
Accept-Ranges: bytes
Content-Length: 33663
Connection: close
Content-Type: text/plain
Network Working Group G. Zorn
Internet-Draft Microsoft Corporation
Category: Informational October 1997
<draft-ietf-rfced-info-zorn-00.txt>
RADIUS Attributes for MS-CHAP Support
1. Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working docu-
ments of the Internet Engineering Task Force (IETF), its areas, and its
working groups. Note that other groups may also distribute working doc-
uments as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as ``work in progress''.
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe),
ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
This memo provides information for the Internet community. This memo
does not specify an Internet standard of any kind. The distribution of
this memo is unlimited. It is filed as <draft-ietf-rfced-info-
zorn-00.txt> and expires April 1, 1997. Please send comments to the
author (glennz@microsoft.com).
2. Abstract
This document describes a set of vendor-specific RADIUS attributes
designed to support the use of Microsoft's proprietary dialect of PPP
CHAP (MS-CHAP) in dial-up networks. MS-CHAP is derived from and (where
possible) consistent with PPP CHAP [1]; the differences between PPP CHAP
and MS-CHAP are significant enough to warrant the definition of new
RADIUS attributes, however.
3. Introduction
Microsoft created Microsoft Challenge-Handshake Authentication Protocol
(MS-CHAP) to authenticate remote Windows workstations, providing the
functionality to which LAN-based users are accustomed. Where possible,
MS-CHAP is consistent with standard CHAP, and the differences are easily
Zorn [Page 1]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
modularized. Briefly, differences between MS-CHAP and standard CHAP
are:
* MS-CHAP is enabled by negotiating CHAP Algorithm 0x80 in LCP
option 3, Authentication Protocol.
* The MS-CHAP Response packet is in a format designed for
compatibility with Microsoft Windows NT 3.5, 3.51 and 4.0,
Microsoft Windows95, and Microsoft LAN Manager 2.x networking
products. The MS-CHAP format does not require the
authenticator to store a clear-text or reversibly encrypted
password.
* MS-CHAP provides an authenticator-controlled authentication
retry mechanism.
* MS-CHAP provides an authenticator-controlled password changing
mechanism.
* MS-CHAP defines an extended set of reason-for-failure codes,
returned in the Failure packet Message field.
The attributes defined in this document reflect these differences.
4. Specification of Requirements
In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
"recommended", "SHOULD", and "SHOULD NOT" are to be interpreted as
described in [2].
5. Attributes
The following sections describe sub-attributes which may be transmitted
in one or more RADIUS attributes of type Vendor-Specific [3]. More than
one sub-attribute MAY be transmitted in a single Vendor-Specific
Attribute; if this is done, the sub-attributes SHOULD be packed as a
sequence of Vendor-Type/Vendor-Length/Value triples following the inital
Type, Length and Vendor-ID fields. The Length field of the Vendor-Spe-
cific Attribute MUST be set equal to the sum of the Vendor-Length fields
of the sub-attributes contained in the Vendor-Specific Attribute, plus
six. The Vendor-ID field of the Vendor-Specific Attribute(s) MUST be
set to decimal 311 (Microsoft).
Zorn [Page 2]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
5.1. MS-CHAP-Challenge
Description
This Attribute contains the challenge sent by a NAS to a Microsoft
Challenge-Handshake Authentication Protocol (MS-CHAP) user. It
MAY be used in both Access-Request and Access-Challenge packets.
A summary of the MS-CHAP-Response Attribute format is shown below.
The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor-Type | Vendor-Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Type
11 for MS-CHAP-Challenge.
Vendor-Length
> 2
String
The String field contains the MS-CHAP challenge.
5.2. MS-CHAP-Response
Description
This Attribute contains the response value provided by a PPP
Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP)
user in response to the challenge. It is only used in Access-
Request packets.
A summary of the MS-CHAP-Response Attribute format is shown below.
The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor-Type | Vendor-Length | Ident | Flags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LM-Response
Zorn [Page 3]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-Response(cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NT-Response
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Response (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Type
1 for MS-CHAP-Response.
Vendor-Length
52
Ident
Identical to the PPP CHAP Identifier.
Flags
The Flags field is one octet in length. If the Flags field is one
(0x01), the NT-Response field is to be used in preference to the
LM-Response field for authentication. The LM-Response field MAY
still be used (if non-empty), but the NT-Response SHOULD be tried
first. If it is zero, the NT-Response field MUST be ignored and
the LM-Response field used.
LM-Response
The LM-Response field is 24 octets in length and holds an encoded
function of the password and the received challenge. If this
field is empty, it SHOULD be zero-filled.
Zorn [Page 4]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
NT-Response
The NT-Response field is 24 octets in length and holds an encoded
function of the password and the received challenge. If this
field is empty, it SHOULD be zero-filled.
5.3. MS-CHAP-Domain
Description
The MS-CHAP-Domain Attribute indicates the Windows NT domain in
which the user was authenticated. It MAY be included in both
Access-Accept and Accounting-Request packets.
A summary of the MS-CHAP-Domain Attribute format is given below. The
fields are transmitted left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor-Type | Vendor-Length | Ident | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Type
10 for MS-CHAP-Domain.
Vendor-Length
> 3
Ident
The Ident field is one octet and aids in matching requests and
replies.
String
This field contains the name in ASCII of the Windows NT domain in
which the user was authenticated.
5.4. MS-CHAP-Error
Description
The MS-CHAP-Error Attribute contains error data related to the
preceding MS-CHAP exchange. It is only used in Access-Reject
Zorn [Page 5]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
packets.
A summary of the MS-CHAP-Error Attribute format is given below. The
fields are transmitted left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor-Type | Vendor-Length | Ident | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Type
2 for MS-CHAP-Error.
Vendor-Length
> 3
Ident
The Ident field is one octet and aids in matching requests and
replies.
String
This field contains up to 48 octets of specially formatted ASCII
text, which is interpreted by the authenticating peer. The format
of this field is as follows:
"E=eeeeeeeeee R=r C=cccccccccccccccc V=vvvvvvvvvv"
where the "eeeeeeeeee" represents an ASCII representation of a
decimal error code of up to 10 digits corresponding to one of the
following:
646 ERROR_RESTRICTED_LOGON_HOURS
647 ERROR_ACCT_DISABLED
648 ERROR_PASSWD_EXPIRED
649 ERROR_NO_DIALIN_PERMISSION
691 ERROR_AUTHENTICATION_FAILURE
709 ERROR_CHANGING_PASSWORD
Implementations should deal with codes not on this list grace-
fully, however. Please note that (unlike PPP CHAP), the receipt
of some of these error codes (in particular, the
ERROR_PASSWD_EXPIRED code) will modify the subsequent operation of
the MS-CHAP protocol. The 'r' is a retry flag (set to '1' if a
Zorn [Page 6]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
retry is allowed and '0' otherwise), the "cccccccccccccccc" repre-
sents 16 hexadecimal digits ('0'-'F') specifying a new challenge
value, and the "vvvvvvvvvv" is a decimal version code signifying
the version of MS-CHAP supported by the server.
5.5. MS-CHAP-CPW-1
Description
This Attribute allows the user to change their password if it has
expired. This Attribute is only used in Access-Request packets,
and should only be included if an MS-CHAP-Error attribute was
included in the immediately preceding Access-Reject packet, the
String field of the MS-CHAP-Error attribute indicated that the
user password had expired, and the MS-CHAP version is less than 2.
A summary of the MS-CHAP-CPW-1 Attribute format is shown below. The
fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor-Type | Vendor-Length | Code | Ident |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LM-Old-Password
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-Old-Password (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-Old-Password (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-Old-Password (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LM-New-Password
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-New-Password (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-New-Password (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-New-Password (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NT-Old-Password
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Old-Password (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Old-Password (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Old-Password (cont) |
Zorn [Page 7]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NT-New-Password
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-New-Password (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-New-Password (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-New-Password (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| New-LM-Password-Length | Flags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Type
3 for MS-CHAP-PW-1
Vendor-Length
72
Code
The Code field is one octet in length. Its value is always 5.
Ident
The Ident field is one octet and aids in matching requests and
replies.
LM-Old-Password
The LM-Old-Password field is 16 octets in length. It contains the
encrypted Lan Manager hash of the old password.
LM-New-Password
The LM-New-Password field is 16 octets in length. It contains the
encrypted Lan Manager hash of the new password.
NT-Old-Password
The NT-Old-Password field is 16 octets in length. It contains the
encrypted Lan Manager hash of the old password.
NT-New-Password
The NT-New-Password field is 16 octets in length. It contains the
encrypted Lan Manager hash of the new password.
Zorn [Page 8]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
New-LM-Password-Length
The New-LM-Password-Length field is two octets in length and con-
tains the length in octets of the new LAN Manager-compatible pass-
word.
Flags
The Flags field is two octets in length. If the least significant
bit of the Flags field is one, this indicates that the NT-New-
Password and NT-Old-Password fields are valid and SHOULD be used.
Otherwise, the LM-New-Password and LM-Old-Password fields MUST be
used.
5.6. MS-CHAP-CPW-2
Description
This Attribute allows the user to change their password if it has
expired. This Attribute is only used in Access-Request packets,
and should only be included if an MS-CHAP-Error attribute was
included in the immediately preceding Access-Reject packet, the
String field of the MS-CHAP-Error attribute indicated that the
user password had expired, and the MS-CHAP version is 2 or
greater.
A summary of the MS-CHAP-CPW-2 Attribute format is shown below. The
fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor-Type | Vendor-Length | Code | Ident |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Old-NT-Hash
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Old-NT-Hash (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Old-NT-Hash (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Old-NT-Hash (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Old-LM-Hash
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Old-LM-Hash(cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Old-LM-Hash(cont)
Zorn [Page 9]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Old-LM-Hash(cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LM-Response
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-Response (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NT-Response
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Response (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Response (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Flags |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Type
4 for MS-CHAP-PW-2
Vendor-Length
86
Code
6
Ident
The Ident field is one octet and aids in matching requests and
replies. The value of this field MUST be identical to that in the
Ident field in all instances of the MS-CHAP-LM-Enc-PW, MS-CHAP-NT-
Enc-PW and MS-CHAP-PW-2 attributes contained in a single Access-
Zorn [Page 10]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
Request packet.
Old-NT-Hash
The Old-NT-Hash field is 16 octets in length. It contains the old
Windows NT password hash encrypted with the new Windows NT pass-
word hash.
Old-LM-Hash
The Old-LM-Hash field is 16 octets in length. It contains the old
Lan Manager password hash encrypted with the new Windows NT pass-
word hash.
LM-Response
The LM-Response field is 24 octets in length and holds an encoded
function of the password and the received challenge. If this
field is empty, it SHOULD be zero-filled.
NT-Response
The NT-Response field is 24 octets in length and holds an encoded
function of the password and the received challenge. If this
field is empty, it SHOULD be zero-filled.
Flags
The Flags field is two octets in length. If the least significant
bit (bit 0) of this field is one, the NT-Response field is to be
used in preference to the LM-Response field for authentication.
The LM-Response field MAY still be used (if present), but the NT-
Response SHOULD be tried first. If least significant bit of the
field is zero, the NT-Response field MUST be ignored and the LM-
Response field used instead. If bit 1 of the Flags field is one,
the Old-LM-Hash field is valid and SHOULD be used. If this bit is
set, at least one instance of the MS-CHAP-LM-Enc-PW attribute MUST
be included in the packet.
5.7. MS-CHAP-LM-Enc-PW
Description
This Attribute contains the new Windows NT password encrypted with
the old LAN Manager password hash. The encrypted Windows NT pass-
word is 516 octets in length; since this is longer than the maxi-
mum lengtth of a RADIUS attribute, the password must be split into
several attibutes for transmission. A 2 octet sequence number is
Zorn [Page 11]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
included in the attribute to help preserve ordering of the pass-
word fragments.
This Attribute is only used in Access-Request packets, in conjunc-
tion with the MS-CHAP-CPW-2 attribute. It should only be included
if an MS-CHAP-Error attribute was included in the immediately pre-
ceding Access-Reject packet, the String field of the MS-CHAP-Error
attribute indicated that the user password had expired, and the
MS-CHAP version is 2 or greater.
A summary of the MS-CHAP-LM-Enc-PW Attribute format is shown below.
The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor-Type | Vendor-Length | Code | Ident |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence-Number | String ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Type
5 for MS-CHAP-LM-Enc-PW
Vendor-Length
> 6
Code
6. Code is the same as for the MS-CHAP-PW-2 attribute.
Ident
The Ident field is one octet and aids in matching requests and
replies. The value of this field MUST be identical in all
instances of the MS-CHAP-LM-Enc-PW, MS-CHAP-NT-Enc-PW and MS-CHAP-
PW-2 attributes which are present in the same Access-Request
packet.
Sequence-Number
The Sequence-Number field is two octets in length and indicates
which "chunk" of the encrypted password is contained in the fol-
lowing String field.
String
Zorn [Page 12]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
The String field contains a portion of the encrypted password.
5.8. MS-CHAP-NT-Enc-PW
Description
This Attribute contains the new Windows NT password encrypted with
the old Windows NT password hash. The encrypted Windows NT pass-
word is 516 octets in length; since this is longer than the maxi-
mum lengtth of a RADIUS attribute, the password must be split into
several attibutes for transmission. A 2 octet sequence number is
included in the attribute to help preserve ordering of the pass-
word fragments.
This Attribute is only used in Access-Request packets, in conjunc-
tion with the MS-CHAP-CPW-2 attribute. It should only be included
if an MS-CHAP-Error attribute was included in the immediately pre-
ceding Access-Reject packet, the String field of the MS-CHAP-Error
attribute indicated that the user password had expired, and the
MS-CHAP version is 2 or greater.
A summary of the MS-CHAP-NT-Enc-PW Attribute format is shown below.
The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor-Type | Vendor-Length | Code | Ident |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence-Number | String ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Vendor-Type
6 for MS-CHAP-NT-Enc-PW
Vendor-Length
> 6
Code
6. Code is the same as for the MS-CHAP-PW-2 attribute.
Ident
The Ident field is one octet and aids in matching requests and
Zorn [Page 13]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
replies. The value of this field MUST be identical in all
instances of the MS-CHAP-LM-Enc-PW, MS-CHAP-NT-Enc-PW and MS-CHAP-
PW-2 attributes which are present in the same Access-Request
packet.
Sequence-Number
The Sequence-Number field is two octets in length and indicates
which "chunk" of the encrypted password is contained in the fol-
lowing String field.
String
The String field contains a portion of the encrypted password.
5.9. MS-CHAP-MPPE-Keys
Description
The MS-CHAP-MPPE-Keys Attribute contains two session keys for use
by the Microsoft Point-to-Point Encryption Protocol (MPPE). This
Attribute is only included in Access-Accept packets.
A summary of the MS-CHAP-MPPE-Keys Attribute format is given below.
The fields are transmitted left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Vendor-Type | Vendor-Length | Keys
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Keys (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Keys (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Keys (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Keys (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Keys (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Keys (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Keys (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Keys (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Zorn [Page 14]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
Vendor-Type
12 for MS-CHAP-MPPE-Keys.
Vendor-Length
34
Keys
The Keys field consists of two logical sub-fields: the LM-Key and
the NT-Key. The LM-Key is eight octets in length and contains the
first eight bytes of the hashed LAN Manager password. The NT-Key
sub-field is sixteen octets in length and contains the first six-
teen octets of the hashed Windows NT password. The format of the
plaintext Keys field is illustrated in the following diagram:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LM-Key
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
LM-Key (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| NT-Key
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Key (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Key (cont)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NT-Key (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Padding
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Padding (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Keys field MUST be encrypted by the RADIUS server using the
same method defined for the User-Password Attribute [3]. Note
that the padding is required because the method referenced above
requires the field to be encrypted to be a multiple of sixteen
octets in length.
Zorn [Page 15]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
6. Table of Attributes
The following table provides a guide to which of the above attributes
may be found in which kinds of packets, and in what quantity.
Request Accept Reject Challenge Acct-Request # Attribute
0+ 0 0 0+ 0 11 MS-CHAP-Challenge
0+ 0 0 0 0 1 MS-CHAP-Response
0 0+ 0 0 0+ 10 MS-CHAP-Domain
0 0 0+ 0 0 2 MS-CHAP-Error
0+ 0 0 0 0 3 MS-CHAP-CPW-1
0+ 0 0 0 0 4 MS-CHAP-CPW-2
0+ 0 0 0 0 5 MS-CHAP-LM-Enc-PW
0+ 0 0 0 0 6 MS-CHAP-NT-Enc-PW
0 0+ 0 0 0 12 MS-CHAP-MPPE-Keys
The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in packet.
0+ Zero or more instances of this attribute MAY be present in packet.
0-1 Zero or one instance of this attribute MAY be present in packet.
7. References
[1] Simpson, W., "PPP Challenge Handshake Authentication Protocol
(CHAP)", RFC 1994, August 1996
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, March 1997
[3] Rigney, C., et. al., "Remote Access Dial In User Service", RFC
2138, April 1997
8. Security Considerations
MS-CHAP, like PPP CHAP, is susceptible to dictionary attacks. User
passwords should be chosen with care, and be of sufficient length to
deter easy guessing. Although the scheme used to protect the Keys field
of the MS-CHAP-MPPE-Keys Attribute is believed to be relatively secure
on the wire, RADIUS proxies will decrypt and re-encrypt the field for
forwarding. Therefore, the MS-CHAP-MPPE-Keys attribute SHOULD NOT be
used on networks where untrusted RADIUS proxies reside.
Zorn [Page 16]
INTERNET-DRAFT MS-CHAP RADIUS Attributes October 1997
9. Acknowledgements
Thanks to Carl Rigney (cdr@livingston.com), Narendra Gidwani
(nareng@microsoft.com), Steve Cobb (stevec@microsoft.com), Pat Calhoun
(pcalhoun@usr.com), Dave Mitton (dmitton@baynetworks.com), Paul Funk
(paul@funk.com), Gurdeep Singh Pall (gurdeep@microsoft.com) and Don Rule
(donaldr@microsoft.com) for useful suggestions and editorial feedback.
10. Expiration Date
This document expires April 1, 1997.
11. Author's Address
Glen Zorn
Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052
Phone: +1 425 703 1559
FAX: +1 425 936 7329
EMail: glennz@microsoft.com
Zorn [Page 17]