Which two features are added in MSCHAP Version 2? (Choose two)
A. Backwards-compatibility with MSCHAP version 1
B. Using the MD5 hash for stronger security
C. Ability to change an expired password
D. using 3 way handshakes for authentication
E. mutual authentication between peers
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect46/administration/guide/b_AnyConnect_Administrator_Guide_4-6/configure_nam.pdf
MS-CHAPv2—Provides mutual authentication between peers by including a peer challenge in the
response packet and an authenticator response in the success packet. The client is authenticated before
the server. If the server needs to be authenticated before the client (to prevent dictionary attacks), you
should configure EAP-TTLSto validate the server’s certificate atPhase 1. Using this challenge-response
method based on the NT-hash of the password, you are required to store either the clear text password
or at least the NT-hash of the password in the authenticator’s database.
CE
https://www.cisco.com/c/en/us/td/docs/ios/12_2sb/12_2sba/feature/guide/sbaschap.html
SCHAP V2 authentication is not compatible with MSCHAP V1 authentication.
This feature allows the client to change the account password if the RADIUS server reports that the password has expired.
MSCHAP V2 introduces mutual authentication between peers and a change password feature.