CHAP frames are exchanged during the peer authentication phase, when peer authentication based on the Challenge-Handshake Authentication Protocol (CHAP) is requested as one of the configuration options during the link establishment phase. They have the general form shown in Figure A-6.
The address field is one octet in length, and is part of the HDLC-like framing for PPP. It is always set to 0xff.
The control field is one octet in length, and is part of the HDLC-like framing for PPP. It is always set to 0x03.
The protocol id identifies the type of information contained in the information field of the frame, and is always 0xc223 for CHAP frames.
The code field is one octet in length and identifies the type of CHAP frame, based on the following codes:
0x01 Challenge
0x02 Response
0x03 Success
0x04 Failure
The id field is one octet in length, and carries an identifier that is used to match associated requests and replies.
The length field is two octets in length, and indicates the total length of the CHAP frame including the code, id, length, and data fields. The length must not exceed the maximum receive unit (MRU).
The data field is zero or more octets in length, as indicated by the length field. It contains information associated with the authentication negotiation, in a format determined by the code field.
CHAP Challenge frames (code 0x01) are used to start the authentication negotiation, and are transmitted by the authenticator. They contain the CHAP name and a challenge value, which is calculated from the CHAP secret using a one-way hash algorithm. Up to ten CHAP Challenge frames are sent without receiving a Response frame before the authentication phase fails.
A CHAP Response frame (code 0x02) is sent on receipt of a recognized CHAP Challenge frame. It contains a response value, which is calculated using the CHAP secret, the challenge value received, and the same one-way hash algorithm.
CHAP Challenge and Response frames have the format shown in Figure A-7:
The CHAP name is one or more octets in length and contains the character string specified by the send_chap_name parameter in the file ppp.conf.
A CHAP Success frame (code 0x03) is transmitted by the authenticator when it receives a recognizable CHAP response frame that contains an acceptable CHAP name and response value.
A CHAP Failure frame (code 0x04) is transmitted by the authenticator when it receives a CHAP response frame that is not recognizable, or that contains an unacceptable PAP id and PAP password pair. The link is always terminated.