|Applies To||RSA ACE/Agent|
Challenge Handshake Authentication Protocol (CHAP)
Password Authentication Protocol (PAP)
|Issue||Does ACE/Server RADIUS server support CHAP or PAP?|
Some users can authenticate, but others cannot
Error: "Access Denied, PASSCODE Incorrect"
When using CHAP, New Pin Mode and Next PRN Mode prompts are not available to users.
|Cause||CHAP uses a 3-way handshake. This is done upon initial link establishment, and MAY be repeated anytime after the link has been established. After the Link Establishment phase is complete, the authenticator sends a "challenge" message to the peer. The peer responds with a value calculated using a "one-way hash" function. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection SHOULD be terminated. This handshake is essentially closed off from outside protocols such as our Radius Server trying to feed the New Pin Mode or Next PRN Mode strings.|
|Resolution||CHAP is not a supported protocol with RSA's Radius Implementation. It is possible for a vendor to encode their CHAP implementation to permit our prompt strings but this is not an RSA issue.|
PAP provides an open exchange of prompts between the server and client that permit New Pin Mode and Next PRN mode to work. PAP is supported by RSA's Radius implementation.
|Legacy Article ID||1.0.314455.2179419|