3.1.5 Message Processing Events and Sequencing Rules

The Extensible Authentication Protocol Method for Microsoft CHAP uses the common message processing events and sequencing rules specified for EAP in [RFC3748]. These include:

  • ┬áThe optional EAP-Identity message exchange prior to authentication, which is used when an authenticator does not know the identity of a peer (as specified in [RFC3748] section 3.1).

  • EAP Request/Response processing.

  • EAP Success/Failure, which indicates the termination of the authentication phase.

An implementation MUST follow the semantics for all EAP messages, as specified in [RFC3748].

If a peer or an EAP server receives an invalid Extensible Authentication Protocol Method for Microsoft CHAP message, the authentication phase MUST terminate. In this instance, invalid means "not conforming to this specification".

EAP method execution at an entity involves processing the embedded MSCHAPv2 packet (if any) from the received Extensible Authentication Protocol Method for Microsoft CHAP message. Any processing of an embedded MSCHAPv2 message MUST be done as specified in [RFC2759]. Any resulting MSCHAPv2 message is embedded into a new EAP message and returned to the remote entity. The following list provides more detail.

  • If the MSCHAPv2 processing generates a new MSCHAPv2 packet, it MUST be enclosed as a Type-Data of an EAP message with Type-Code set to 0x1A and sent to the other end. The rules for selecting the appropriate EAP code value for the MSCHAPv2 code value are specified in section 2.

  • If the MSCHAPv2 processing results in an error, the peer and EAP server processing differ from each other. Message processing events are specified in sections 3.2.5 and 3.3.5.

  • If the MSCHAPv2 processing results in either an error or a new MSCHAPv2 packet (as happens when a peer receiving a Success-Request message that has an embedded MSCHAPv2 Success packet is validated successfully), the applicable message processing events are as specified in section 3.2.5.