PPP Authentication Protocols

Phase 2 of the PPP connection establishment process is the authentication of the remote access client. Authentication for PPP is accomplished through a PPP authentication protocol. During Phase 1, both PPP peers agree on a single, specific PPP authentication protocol.

Windows 2000 remote access supports Extensible Authentication Protocol (EAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 1 and version 2, Shiva Password Authentication Protocol (SPAP), and Password Authentication Protocol (PAP).

A secure authentication scheme provides protection against replay attacks, remote access client impersonation, and remote access server impersonation.

• A replay attack occurs when a person captures the packets of a successful connection attempt and then replays those packets in an attempt to obtain an authenticated connection.

• Remote access client impersonation occurs when a person takes over an existing authenticated connection. The intruder waits until the connection is authenticated and then obtains the connection parameters, disconnects the user, and takes control of the authenticated connection.

• Remote server impersonation occurs when a computer appears as the remote access server to the remote access client. The impersonator appears to verify the remote access client credentials and then captures all of the traffic from the remote access client.