000024044 - Does ACE/Server RADIUS server support CHAP or PAP?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024044
Applies ToRSA ACE/Agent
Challenge Handshake Authentication Protocol (CHAP)
Password Authentication Protocol (PAP)
IssueDoes ACE/Server RADIUS server support CHAP or PAP?
Some users can authenticate, but others cannot
Error: "Access Denied, PASSCODE Incorrect"
When using CHAP, New Pin Mode and Next PRN Mode prompts are not available to users.
CauseCHAP uses a 3-way handshake. This is done upon initial link establishment, and MAY be repeated anytime after the link has been established. After the Link Establishment phase is complete, the authenticator sends a "challenge" message to the peer. The peer responds with a value calculated using a "one-way hash" function. The authenticator checks the response against its own calculation of the expected hash value.  If the values match, the authentication is acknowledged; otherwise the connection SHOULD be terminated. This handshake is essentially closed off from outside protocols such as our Radius Server trying to feed the New Pin Mode or Next PRN Mode strings.
ResolutionCHAP is not a supported protocol with RSA's Radius Implementation.  It is possible for a vendor to encode their CHAP implementation to permit our prompt strings but this is not an RSA issue.
PAP provides an open exchange of prompts between the server and client that permit New Pin Mode and Next PRN mode to work. PAP is supported by RSA's Radius implementation.
Legacy Article ID1.0.314455.2179419