RFC 2759 (rfc2759) - Page 3 of 20
Microsoft PPP CHAP Extensions, Version 2
Alternative Format: Original Text Document
RFC 2759 Microsoft MS-CHAP-V2 January 2000 1. Introduction Where possible, MS-CHAP-V2 is consistent with both MS-CHAP-V1 and standard CHAP. Briefly, the differences between MS-CHAP-V2 and MS- CHAP-V1 are: * MS-CHAP-V2 is enabled by negotiating CHAP Algorithm 0x81 in LCP option 3, Authentication Protocol. * MS-CHAP-V2 provides mutual authentication between peers by piggybacking a peer challenge on the Response packet and an authenticator response on the Success packet. * The calculation of the "Windows NT compatible challenge response" sub-field in the Response packet has been changed to include the peer challenge and the user name. * In MS-CHAP-V1, the "LAN Manager compatible challenge response" sub-field was always sent in the Response packet. This field has been replaced in MS-CHAP-V2 by the Peer-Challenge field. * The format of the Message field in the Failure packet has been changed. * The Change Password (version 1) and Change Password (version 2) packets are no longer supported. They have been replaced with a single Change-Password packet. 2. LCP Configuration The LCP configuration for MS-CHAP-V2 is identical to that for standard CHAP, except that the Algorithm field has value 0x81, rather than the MD5 value 0x05. PPP implementations which do not support MS-CHAP-V2, but correctly implement LCP Config-Rej, should have no problem dealing with this non-standard option. 3. Challenge Packet The MS-CHAP-V2 Challenge packet is identical in format to the standard CHAP Challenge packet. MS-CHAP-V2 authenticators send an 16-octet challenge Value field. Peers need not duplicate Microsoft's algorithm for selecting the 16- octet value, but the standard guidelines on randomness [1,2,7] SHOULD be observed. Microsoft authenticators do not currently provide information in the Name field. This may change in the future. Zorn Informational
