HP-UX AAA Server A.08.02 Administrator's Guide
B Supported Authentication Methods
The following list describes the authentication methods the HP-UX AAA Server supports:
Password Authentication Protocol (PAP)
This authentication method is most appropriately used where a plaintext password must be used
to simulate a login at a remote host. In such use, this method provides a similar level of security to
the usual user login at the remote host. This protocol provides the user with a great deal of flexibility
because this password can be decrypted at the RADIUS server site.
OTP Authentication
This authentication method is based on the HOTP algorithm developed by the OATH consortium.
Can be used to provide OTP and two-factor authentication in a variety of deployment scenarios.
For more information on OTP authentication, see Chapter 16 (page 127)
Challenge Handshake Authentication Protocol (CHAP)
CHAP is a one way hashing algorithm that is used to periodically identify the identity of a user.
The challenge occurs between the user and NAS before the NAS sends an Access-Request. The
user must respond by encrypting the challenge (usually a random number) and returning the result.
The NAS will then forward the challenge and the response in the Access-Request, which the AAA
server will use to authenticate the user.
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
MS-CHAP is an implementation of the CHAP protocol created by Microsoft to authenticate remote
Windows workstations. In most respects, MS-CHAP is identical to CHAP, but there are some
differences. MS-CHAP is based on the encryption and hashing algorithms used by Windows
networks, and the MS-CHAP response to a challenge is in a format optimized for compatibility
with Windows operating systems.
Extensible Authentication Protocol (EAP)
EAP is a secure authentication protocol to establish a connection. It offers more flexibility to handle
authentication requests with different encryption algorithms. It allows authentication by encapsulating
various types of authentication exchanges, such as MD5. These EAP messages can be encapsulated
in the packets of other protocols, such as RADIUS, for compatibility with a wide range of
authentication mechanisms. This flexibility also allows EAP to be implemented in a way that is more
suitable for wireless and mobile environments than other authentication protocols. EAP allows
authentication to take place directly between the user and server without the intervention by the
access device that occurs with CHAP.
The following is a list of the EAP supported authentication methods you can use with this version
of the HP-UX AAA Server:
• Transport Layer Security (TLS): Uses TLS (also known as SSL) to authenticate the client using
its digital certificate.
NOTE: Some wireless supplicants require specific extensions to support certificates for EAP.
TLS features include Dynamic Key Exchange; Mutual Authentication; Digital Certificate/Token
Card-based Authentication; and, Encrypted Tunnelling.
• Tunneled TLS (TTLS): Can carry additional EAP or legacy authentication methods like PAP and
CHAP. Integrates with the widest variety of password storage formats and existing
password-based authentication systems. Supplicants are available for a large number of
clients. TTLS features include Dynamic Key Exchange; Mutual Authentication; Password-based
Authentication; and, Encrypted Tunnelling.
425