Challenge-Handshake Authentication Protocol (CHAP) Frames

CHAP frames are exchanged during the peer authentication phase, when peer authentication based on the Challenge-Handshake Authentication Protocol (CHAP) is requested as one of the configuration options during the link establishment phase. They have the general form shown in Figure A-6.

Figure A-6 CHAP Frame Format

Address Field

The address field is one octet in length, and is part of the HDLC-like framing for PPP. It is always set to 0xff.

Control Field

The control field is one octet in length, and is part of the HDLC-like framing for PPP. It is always set to 0x03.

Protocol Id

The protocol id identifies the type of information contained in the information field of the frame, and is always 0xc223 for CHAP frames.

Code Field

The code field is one octet in length and identifies the type of CHAP frame, based on the following codes:

0x01 Challenge

0x02 Response

0x03 Success

0x04 Failure

Id Field

The id field is one octet in length, and carries an identifier that is used to match associated requests and replies.

Length Field

The length field is two octets in length, and indicates the total length of the CHAP frame including the code, id, length, and data fields. The length must not exceed the maximum receive unit (MRU).

Data Field

The data field is zero or more octets in length, as indicated by the length field. It contains information associated with the authentication negotiation, in a format determined by the code field.

CHAP Challenge and Response Frames

CHAP Challenge frames (code 0x01) are used to start the authentication negotiation, and are transmitted by the authenticator. They contain the CHAP name and a challenge value, which is calculated from the CHAP secret using a one-way hash algorithm. Up to ten CHAP Challenge frames are sent without receiving a Response frame before the authentication phase fails.

A CHAP Response frame (code 0x02) is sent on receipt of a recognized CHAP Challenge frame. It contains a response value, which is calculated using the CHAP secret, the challenge value received, and the same one-way hash algorithm.

CHAP Challenge and Response frames have the format shown in Figure A-7:

Figure A-7 CHAP Challenge and Response Frame Format

The CHAP name is one or more octets in length and contains the character string specified by the send_chap_name parameter in the file ppp.conf.

CHAP Success and Failure Frames

A CHAP Success frame (code 0x03) is transmitted by the authenticator when it receives a recognizable CHAP response frame that contains an acceptable CHAP name and response value.

A CHAP Failure frame (code 0x04) is transmitted by the authenticator when it receives a CHAP response frame that is not recognizable, or that contains an unacceptable PAP id and PAP password pair. The link is always terminated.