2.2 Message Syntax
All message fields are transmitted from left to right, unless otherwise indicated.
The general format of EAP-MSCHAPv2 request and response messages is to embed MSCHAPv2 [RFC2759] packets in the Type-Data (or the payload) part of an EAP [RFC3748] message. In two response messages, only the MSCHAPv2 Success/Failure Code value is encapsulated instead of the whole MSCHAPv2 packet.
The following table specifies the encapsulation of MSCHAPv2 in EAP request messages, which are received by the peer. The format of EAP request messages are specified in [RFC3748] section 4.1, with the Type field set to 0x1A and an OpCode of 01 for request. <1>
|
EAP-MSCHAPv2 message |
Encapsulation |
|---|---|
|
Challenge-Request |
MSCHAPv2 Challenge Packet |
|
Success-Request |
MSCHAPv2 Success Packet |
|
Failure-Request |
MSCHAPv2 Failure Packet |
The MSCHAPv2 Failure packet, encapsulated in a Failure-Request packet, SHOULD have the E field (error code) set to ERROR_PASSWD_EXPIRED(648) or ERROR_AUTHENTICATION_FAILURE(691). The R bit can be set to zero or one as specified in section 3.3.5.2. The C field is the challenge value and the V field SHOULD always be set to 3 (as specified in [RFC2759]). The M=<msg> field is currently not used. The processing rules for the Failure-Request packet are as specified in sections 3.2.5.4 and 3.3.5.2.
The following table specifies the encapsulation of MSCHAPv2 in EAP response messages, which are received by the EAP server. The format of EAP response messages is specified in [RFC3748] section 4.1, with the Type field set to 0x1A and an OpCode of 02 for response.
|
EAP-MSCHAPv2 message |
Encapsulation |
|---|---|
|
Challenge-Response |
MSCHAPv2 Response Packet |
|
Success-Response |
MSCHAPv2 Success Code value only |
|
Failure-Response |
MSCHAPv2 Failure Code value only |
|
Change-Password-Response |
MSCHAPv2 Change-Password Packet |