Overview#
MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol (CHAP).MS-CHAP exists in two versions, MS-CHAPv1 (defined in RFC 2433) and MS-CHAPv2 (defined in RFC 2759). MS-CHAPv2 was introduced with Windows Server NT 4.0 SP4 and was added to Windows 98 in the "Windows 98 Dial-Up Networking Security Upgrade Release"[1] and Windows 95 in the "Dial Up Networking 1.3 Performance & Security Update for Microsoft Windows 95]" upgrade. Windows Vista dropped support for MS-CHAPv1.
MS-CHAP is used as one authentication option in Microsoft's implementation of the PPTP protocol for Virtual Private Networks. It is also used as an authentication option with RADIUS[2] servers which are used for WiFi security using the WPA-Enterprise protocol. It is further used as the main authentication option of the Protected Extensible Authentication Protocol (PEAP).
- is enabled by negotiating CHAP Algorithm 0x80 (0x81 for MS-CHAPv2) in LCP option 3, Authentication Protocol
- provides an authenticator-controlled Password Change mechanism
- provides an authenticator-controlled authentication retry mechanism
- defines failure Result Codes returned in the Failure packet message field