Internet DRAFT - draft-ietf-rfced-info-zorn

draft-ietf-rfced-info-zorn



HTTP/1.1 200 OK
Date: Tue, 09 Apr 2002 07:02:59 GMT
Server: Apache/1.3.20 (Unix)
Last-Modified: Thu, 23 Oct 1997 15:54:00 GMT
ETag: "304f16-837f-344f7318"
Accept-Ranges: bytes
Content-Length: 33663
Connection: close
Content-Type: text/plain


Network Working Group                                            G. Zorn
Internet-Draft                                     Microsoft Corporation
Category: Informational                                     October 1997
<draft-ietf-rfced-info-zorn-00.txt>

                 RADIUS Attributes for MS-CHAP Support


1.  Status of this Memo

This  document  is an Internet-Draft.  Internet-Drafts are working docu-
ments of the Internet Engineering Task Force (IETF), its areas, and  its
working groups.  Note that other groups may also distribute working doc-
uments as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum  of  six  months
and  may  be  updated,  replaced, or obsoleted by other documents at any
time.  It is inappropriate to use Internet-Drafts as reference  material
or to cite them other than as ``work in progress''.

To  learn  the  current  status  of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in  the  Internet-Drafts  Shadow
Directories  on ds.internic.net (US East Coast), nic.nordu.net (Europe),
ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).

This memo provides information for the Internet  community.   This  memo
does  not specify an Internet standard of any kind.  The distribution of
this  memo  is  unlimited.   It  is  filed  as   <draft-ietf-rfced-info-
zorn-00.txt>  and  expires  April  1, 1997.  Please send comments to the
author (glennz@microsoft.com).


2.  Abstract

This document describes  a  set  of  vendor-specific  RADIUS  attributes
designed  to  support  the use of Microsoft's proprietary dialect of PPP
CHAP (MS-CHAP) in dial-up networks.  MS-CHAP is derived from and  (where
possible) consistent with PPP CHAP [1]; the differences between PPP CHAP
and MS-CHAP are significant enough to  warrant  the  definition  of  new
RADIUS attributes, however.


3.  Introduction

Microsoft  created Microsoft Challenge-Handshake Authentication Protocol
(MS-CHAP) to authenticate remote  Windows  workstations,  providing  the
functionality  to which LAN-based users are accustomed.  Where possible,
MS-CHAP is consistent with standard CHAP, and the differences are easily



Zorn                                                            [Page 1]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


modularized.   Briefly,  differences  between  MS-CHAP and standard CHAP
are:

   * MS-CHAP is enabled by negotiating CHAP Algorithm 0x80 in LCP
     option 3, Authentication Protocol.

   * The MS-CHAP Response packet is in a format designed for
     compatibility with Microsoft Windows NT 3.5, 3.51 and 4.0,
     Microsoft Windows95, and Microsoft LAN Manager 2.x networking
     products.  The MS-CHAP format does not require the
     authenticator to store a clear-text or reversibly encrypted
     password.

   * MS-CHAP provides an authenticator-controlled authentication
     retry mechanism.

   * MS-CHAP provides an authenticator-controlled password changing
     mechanism.

   * MS-CHAP defines an extended  set of reason-for-failure codes,
     returned in the Failure packet Message field.

The attributes defined in this document reflect these differences.


4.  Specification of Requirements

In this document, the key words "MAY", "MUST,  "MUST  NOT",  "optional",
"recommended",  "SHOULD",  and  "SHOULD  NOT"  are  to be interpreted as
described in [2].


5.  Attributes

The following sections describe sub-attributes which may be  transmitted
in one or more RADIUS attributes of type Vendor-Specific [3].  More than
one  sub-attribute  MAY  be  transmitted  in  a  single  Vendor-Specific
Attribute;  if  this  is  done, the sub-attributes SHOULD be packed as a
sequence of Vendor-Type/Vendor-Length/Value triples following the inital
Type,  Length and Vendor-ID fields.  The Length field of the Vendor-Spe-
cific Attribute MUST be set equal to the sum of the Vendor-Length fields
of  the  sub-attributes contained in the Vendor-Specific Attribute, plus
six.  The Vendor-ID field of the Vendor-Specific  Attribute(s)  MUST  be
set to decimal 311 (Microsoft).







Zorn                                                            [Page 2]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


5.1.  MS-CHAP-Challenge

   Description

      This Attribute contains the challenge sent by a NAS to a Microsoft
      Challenge-Handshake Authentication Protocol  (MS-CHAP)  user.   It
      MAY be used in both Access-Request and Access-Challenge packets.

   A  summary  of  the MS-CHAP-Response Attribute format is shown below.
   The fields are transmitted from left to right.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Vendor-Type | Vendor-Length |           String...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Vendor-Type

      11 for MS-CHAP-Challenge.

   Vendor-Length

      > 2

   String

      The String field contains the MS-CHAP challenge.


5.2.  MS-CHAP-Response

   Description

      This Attribute contains the  response  value  provided  by  a  PPP
      Microsoft  Challenge-Handshake  Authentication  Protocol (MS-CHAP)
      user in response to the challenge.  It is  only  used  in  Access-
      Request packets.

   A  summary  of  the MS-CHAP-Response Attribute format is shown below.
   The fields are transmitted from left to right.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Vendor-Type  | Vendor-Length |    Ident    |     Flags     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           LM-Response



Zorn                                                            [Page 3]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            LM-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            LM-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            LM-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            LM-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            LM-Response(cont)                    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           NT-Response
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            NT-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            NT-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            NT-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            NT-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            NT-Response (cont)                   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Vendor-Type

      1 for MS-CHAP-Response.

   Vendor-Length

      52

   Ident
      Identical to the PPP CHAP Identifier.

   Flags
      The Flags field is one octet in length.  If the Flags field is one
      (0x01),  the  NT-Response field is to be used in preference to the
      LM-Response field for authentication.  The LM-Response  field  MAY
      still  be used (if non-empty), but the NT-Response SHOULD be tried
      first.  If it is zero, the NT-Response field MUST be  ignored  and
      the LM-Response field used.

   LM-Response
      The  LM-Response field is 24 octets in length and holds an encoded
      function of the password and  the  received  challenge.   If  this
      field is empty, it SHOULD be zero-filled.




Zorn                                                            [Page 4]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


   NT-Response
      The  NT-Response field is 24 octets in length and holds an encoded
      function of the password and  the  received  challenge.   If  this
      field is empty, it SHOULD be zero-filled.


5.3.  MS-CHAP-Domain

   Description

      The  MS-CHAP-Domain  Attribute  indicates the Windows NT domain in
      which the user was authenticated.  It  MAY  be  included  in  both
      Access-Accept and Accounting-Request packets.

   A summary of the MS-CHAP-Domain Attribute format is given below.  The
   fields are transmitted left to right.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Vendor-Type | Vendor-Length |     Ident     |    String...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Vendor-Type

      10 for MS-CHAP-Domain.

   Vendor-Length

      > 3

   Ident

      The Ident field is one octet and aids  in  matching  requests  and
      replies.

   String

      This  field contains the name in ASCII of the Windows NT domain in
      which the user was authenticated.


5.4.  MS-CHAP-Error

   Description

      The MS-CHAP-Error Attribute contains error  data  related  to  the
      preceding  MS-CHAP  exchange.   It  is  only used in Access-Reject



Zorn                                                            [Page 5]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


      packets.

   A summary of the MS-CHAP-Error Attribute format is given below.   The
   fields are transmitted left to right.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Vendor-Type | Vendor-Length |     Ident     |    String...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Vendor-Type

      2 for MS-CHAP-Error.

   Vendor-Length

      > 3

   Ident

      The  Ident  field  is  one octet and aids in matching requests and
      replies.

   String

      This field contains up to 48 octets of specially  formatted  ASCII
      text, which is interpreted by the authenticating peer.  The format
      of this field is as follows:

         "E=eeeeeeeeee R=r C=cccccccccccccccc V=vvvvvvvvvv"

      where the "eeeeeeeeee" represents an  ASCII  representation  of  a
      decimal  error code of up to 10 digits corresponding to one of the
      following:

         646 ERROR_RESTRICTED_LOGON_HOURS
         647 ERROR_ACCT_DISABLED
         648 ERROR_PASSWD_EXPIRED
         649 ERROR_NO_DIALIN_PERMISSION
         691 ERROR_AUTHENTICATION_FAILURE
         709 ERROR_CHANGING_PASSWORD

      Implementations should deal with codes not  on  this  list  grace-
      fully,  however.   Please note that (unlike PPP CHAP), the receipt
      of   some   of   these   error   codes   (in    particular,    the
      ERROR_PASSWD_EXPIRED code) will modify the subsequent operation of
      the MS-CHAP protocol.  The 'r' is a retry flag (set to  '1'  if  a



Zorn                                                            [Page 6]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


      retry is allowed and '0' otherwise), the "cccccccccccccccc" repre-
      sents 16 hexadecimal digits ('0'-'F') specifying a  new  challenge
      value,  and  the "vvvvvvvvvv" is a decimal version code signifying
      the version of MS-CHAP supported by the server.


5.5.  MS-CHAP-CPW-1

   Description

      This Attribute allows the user to change their password if it  has
      expired.   This  Attribute is only used in Access-Request packets,
      and should only be included  if  an  MS-CHAP-Error  attribute  was
      included  in  the  immediately preceding Access-Reject packet, the
      String field of the MS-CHAP-Error  attribute  indicated  that  the
      user password had expired, and the MS-CHAP version is less than 2.

   A summary of the MS-CHAP-CPW-1  Attribute format is shown below.  The
   fields are transmitted from left to right.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Vendor-Type | Vendor-Length |     Code      |     Ident     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       LM-Old-Password
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                        LM-Old-Password (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                        LM-Old-Password (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                        LM-Old-Password (cont)                   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       LM-New-Password
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                        LM-New-Password (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                        LM-New-Password (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                        LM-New-Password (cont)                   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       NT-Old-Password
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                        NT-Old-Password (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                        NT-Old-Password (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                        NT-Old-Password (cont)                   |



Zorn                                                            [Page 7]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       NT-New-Password
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                        NT-New-Password (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                        NT-New-Password (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                        NT-New-Password (cont)                   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    New-LM-Password-Length   |             Flags             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Vendor-Type

      3 for MS-CHAP-PW-1

   Vendor-Length

      72

   Code

      The Code field is one octet in length.  Its value is always 5.

   Ident

      The  Ident  field  is  one octet and aids in matching requests and
      replies.

   LM-Old-Password

      The LM-Old-Password field is 16 octets in length.  It contains the
      encrypted Lan Manager hash of the old password.

   LM-New-Password

      The LM-New-Password field is 16 octets in length.  It contains the
      encrypted Lan Manager hash of the new password.

   NT-Old-Password

      The NT-Old-Password field is 16 octets in length.  It contains the
      encrypted Lan Manager hash of the old password.

   NT-New-Password

      The NT-New-Password field is 16 octets in length.  It contains the
      encrypted Lan Manager hash of the new password.



Zorn                                                            [Page 8]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


   New-LM-Password-Length

      The New-LM-Password-Length field is two octets in length and  con-
      tains the length in octets of the new LAN Manager-compatible pass-
      word.

   Flags

      The Flags field is two octets in length.  If the least significant
      bit  of  the  Flags  field is one, this indicates that the NT-New-
      Password and NT-Old-Password fields are valid and SHOULD be  used.
      Otherwise,  the LM-New-Password and LM-Old-Password fields MUST be
      used.


5.6.  MS-CHAP-CPW-2

   Description

      This Attribute allows the user to change their password if it  has
      expired.   This  Attribute is only used in Access-Request packets,
      and should only be included  if  an  MS-CHAP-Error  attribute  was
      included  in  the  immediately preceding Access-Reject packet, the
      String field of the MS-CHAP-Error  attribute  indicated  that  the
      user  password  had  expired,  and  the  MS-CHAP  version  is 2 or
      greater.

   A summary of the MS-CHAP-CPW-2  Attribute format is shown below.  The
   fields are transmitted from left to right.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Vendor-Type | Vendor-Length |     Code      |     Ident     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Old-NT-Hash
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                         Old-NT-Hash (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                         Old-NT-Hash (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                         Old-NT-Hash (cont)                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Old-LM-Hash
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                          Old-LM-Hash(cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                          Old-LM-Hash(cont)



Zorn                                                            [Page 9]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                          Old-LM-Hash(cont)                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        LM-Response
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                          LM-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                          LM-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                          LM-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                          LM-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                          LM-Response (cont)                     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                         NT-Response
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                          NT-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                          NT-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                          NT-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                          NT-Response (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                          NT-Response (cont)                     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           Flags             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Vendor-Type

      4 for MS-CHAP-PW-2

   Vendor-Length

      86

   Code

      6

   Ident

      The  Ident  field  is  one octet and aids in matching requests and
      replies.  The value of this field MUST be identical to that in the
      Ident field in all instances of the MS-CHAP-LM-Enc-PW, MS-CHAP-NT-
      Enc-PW and MS-CHAP-PW-2 attributes contained in a  single  Access-



Zorn                                                           [Page 10]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


      Request packet.

   Old-NT-Hash

      The Old-NT-Hash field is 16 octets in length.  It contains the old
      Windows NT password hash encrypted with the new Windows  NT  pass-
      word hash.

   Old-LM-Hash

      The Old-LM-Hash field is 16 octets in length.  It contains the old
      Lan Manager password hash encrypted with the new Windows NT  pass-
      word hash.

   LM-Response

      The  LM-Response field is 24 octets in length and holds an encoded
      function of the password and  the  received  challenge.   If  this
      field is empty, it SHOULD be zero-filled.

   NT-Response

      The  NT-Response field is 24 octets in length and holds an encoded
      function of the password and  the  received  challenge.   If  this
      field is empty, it SHOULD be zero-filled.

   Flags
      The Flags field is two octets in length.  If the least significant
      bit (bit 0) of this field is one, the NT-Response field is  to  be
      used  in  preference  to the LM-Response field for authentication.
      The LM-Response field MAY still be used (if present), but the  NT-
      Response  SHOULD  be tried first.  If least significant bit of the
      field is zero, the NT-Response field MUST be ignored and  the  LM-
      Response  field used instead.  If bit 1 of the Flags field is one,
      the Old-LM-Hash field is valid and SHOULD be used.  If this bit is
      set, at least one instance of the MS-CHAP-LM-Enc-PW attribute MUST
      be included in the packet.


5.7.  MS-CHAP-LM-Enc-PW

   Description

      This Attribute contains the new Windows NT password encrypted with
      the old LAN Manager password hash.  The encrypted Windows NT pass-
      word is 516 octets in length; since this is longer than the  maxi-
      mum lengtth of a RADIUS attribute, the password must be split into
      several attibutes for transmission.  A 2 octet sequence number  is



Zorn                                                           [Page 11]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


      included  in  the attribute to help preserve ordering of the pass-
      word fragments.

      This Attribute is only used in Access-Request packets, in conjunc-
      tion with the MS-CHAP-CPW-2 attribute.  It should only be included
      if an MS-CHAP-Error attribute was included in the immediately pre-
      ceding Access-Reject packet, the String field of the MS-CHAP-Error
      attribute indicated that the user password had  expired,  and  the
      MS-CHAP version is 2 or greater.

   A  summary  of the MS-CHAP-LM-Enc-PW Attribute format is shown below.
   The fields are transmitted from left to right.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Vendor-Type | Vendor-Length |      Code     |     Ident     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Sequence-Number         |          String ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Vendor-Type

      5 for MS-CHAP-LM-Enc-PW

   Vendor-Length

      > 6

   Code

      6.  Code is the same as for the MS-CHAP-PW-2 attribute.

   Ident

      The Ident field is one octet and aids  in  matching  requests  and
      replies.   The  value  of  this  field  MUST  be  identical in all
      instances of the MS-CHAP-LM-Enc-PW, MS-CHAP-NT-Enc-PW and MS-CHAP-
      PW-2  attributes  which  are  present  in  the same Access-Request
      packet.

   Sequence-Number

      The Sequence-Number field is two octets in  length  and  indicates
      which  "chunk"  of the encrypted password is contained in the fol-
      lowing String field.

   String



Zorn                                                           [Page 12]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


      The String field contains a portion of the encrypted password.


5.8.  MS-CHAP-NT-Enc-PW

   Description

      This Attribute contains the new Windows NT password encrypted with
      the  old Windows NT password hash.  The encrypted Windows NT pass-
      word is 516 octets in length; since this is longer than the  maxi-
      mum lengtth of a RADIUS attribute, the password must be split into
      several attibutes for transmission.  A 2 octet sequence number  is
      included  in  the attribute to help preserve ordering of the pass-
      word fragments.

      This Attribute is only used in Access-Request packets, in conjunc-
      tion with the MS-CHAP-CPW-2 attribute.  It should only be included
      if an MS-CHAP-Error attribute was included in the immediately pre-
      ceding Access-Reject packet, the String field of the MS-CHAP-Error
      attribute indicated that the user password had  expired,  and  the
      MS-CHAP version is 2 or greater.

   A  summary  of the MS-CHAP-NT-Enc-PW Attribute format is shown below.
   The fields are transmitted from left to right.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Vendor-Type | Vendor-Length |      Code     |     Ident     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Sequence-Number       |           String ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Vendor-Type

      6 for MS-CHAP-NT-Enc-PW

   Vendor-Length

      > 6

   Code

      6.  Code is the same as for the MS-CHAP-PW-2 attribute.

   Ident

      The Ident field is one octet and aids  in  matching  requests  and



Zorn                                                           [Page 13]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


      replies.   The  value  of  this  field  MUST  be  identical in all
      instances of the MS-CHAP-LM-Enc-PW, MS-CHAP-NT-Enc-PW and MS-CHAP-
      PW-2  attributes  which  are  present  in  the same Access-Request
      packet.

   Sequence-Number

      The Sequence-Number field is two octets in  length  and  indicates
      which  "chunk"  of the encrypted password is contained in the fol-
      lowing String field.

   String
      The String field contains a portion of the encrypted password.


5.9.  MS-CHAP-MPPE-Keys

   Description

      The MS-CHAP-MPPE-Keys Attribute contains two session keys for  use
      by  the Microsoft Point-to-Point Encryption Protocol (MPPE).  This
      Attribute is only included in Access-Accept packets.

   A summary of the MS-CHAP-MPPE-Keys Attribute format is  given  below.
   The fields are transmitted left to right.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Vendor-Type | Vendor-Length |           Keys
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            Keys (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            Keys (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            Keys (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            Keys (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            Keys (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            Keys (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                            Keys (cont)
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
             Keys (cont)         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+




Zorn                                                           [Page 14]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


   Vendor-Type

      12 for MS-CHAP-MPPE-Keys.

   Vendor-Length

      34

   Keys

      The  Keys field consists of two logical sub-fields: the LM-Key and
      the NT-Key.  The LM-Key is eight octets in length and contains the
      first  eight bytes of the hashed LAN Manager password.  The NT-Key
      sub-field is sixteen octets in length and contains the first  six-
      teen  octets of the hashed Windows NT password.  The format of the
      plaintext Keys field is illustrated in the following diagram:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           LM-Key
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                               LM-Key (cont)                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           NT-Key
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                               NT-Key (cont)
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                               NT-Key (cont)
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                               NT-Key (cont)                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                          Padding
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                              Padding (cont)                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      The Keys field MUST be encrypted by the RADIUS  server  using  the
      same  method  defined  for  the User-Password Attribute [3].  Note
      that the padding is required because the method  referenced  above
      requires  the  field  to  be encrypted to be a multiple of sixteen
      octets in length.









Zorn                                                           [Page 15]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


6.  Table of Attributes

The following table provides a guide to which of  the  above  attributes
may be found in which kinds of packets, and in what quantity.

   Request Accept Reject Challenge Acct-Request #  Attribute
   0+      0      0      0+        0            11 MS-CHAP-Challenge
   0+      0      0      0         0             1 MS-CHAP-Response
   0       0+     0      0         0+           10 MS-CHAP-Domain
   0       0      0+     0         0             2 MS-CHAP-Error
   0+      0      0      0         0             3 MS-CHAP-CPW-1
   0+      0      0      0         0             4 MS-CHAP-CPW-2
   0+      0      0      0         0             5 MS-CHAP-LM-Enc-PW
   0+      0      0      0         0             6 MS-CHAP-NT-Enc-PW
   0       0+     0      0         0            12 MS-CHAP-MPPE-Keys

The following table defines the meaning of the above table entries.

   0     This attribute MUST NOT be present in packet.
   0+    Zero or more instances of this attribute MAY be present in packet.
   0-1   Zero or one instance of this attribute MAY be present in packet.


7.  References


[1]  Simpson,  W.,  "PPP  Challenge  Handshake  Authentication  Protocol
     (CHAP)", RFC 1994, August 1996

[2]  Bradner, S.,  "Key words for use in RFCs  to  Indicate  Requirement
     Levels", RFC 2119, March 1997

[3]  Rigney,  C.,  et.  al.,  "Remote  Access Dial In User Service", RFC
     2138, April 1997


8.  Security Considerations

MS-CHAP, like PPP CHAP, is  susceptible  to  dictionary  attacks.   User
passwords  should  be  chosen  with care, and be of sufficient length to
deter easy guessing.  Although the scheme used to protect the Keys field
of  the  MS-CHAP-MPPE-Keys Attribute is believed to be relatively secure
on the wire, RADIUS proxies will decrypt and re-encrypt  the  field  for
forwarding.   Therefore,  the  MS-CHAP-MPPE-Keys attribute SHOULD NOT be
used on networks where untrusted RADIUS proxies reside.






Zorn                                                           [Page 16]

INTERNET-DRAFT          MS-CHAP RADIUS Attributes           October 1997


9.  Acknowledgements

Thanks   to   Carl   Rigney   (cdr@livingston.com),   Narendra   Gidwani
(nareng@microsoft.com),  Steve  Cobb (stevec@microsoft.com), Pat Calhoun
(pcalhoun@usr.com), Dave  Mitton  (dmitton@baynetworks.com),  Paul  Funk
(paul@funk.com), Gurdeep Singh Pall (gurdeep@microsoft.com) and Don Rule
(donaldr@microsoft.com) for useful suggestions and editorial feedback.


10.  Expiration Date

This document expires April 1, 1997.


11.  Author's Address

   Glen Zorn
   Microsoft Corporation
   One Microsoft Way
   Redmond, Washington 98052

   Phone: +1 425 703 1559
   FAX:   +1 425 936 7329
   EMail: glennz@microsoft.com



























Zorn                                                           [Page 17]