The use of the AUTHENTICATION option is not symmetric as most other Telnet option codes. Only the server may send DO AUTHENTICATION, and only the client may send WILL AUTHENTICATION. If the server does not support the option it will respond with DONT AUTHENTICATION. The client will respond with WONT AUTHENTICATION if it does not support authentication.
Once the server and client has negotiated and agreed to use the AUTHENTICATION option, they will begin the sub-negotiation.
The server will start the sub-negotiation by sending
IAC SB AUTHENTICATION SEND authentication-type-pair-list IAC SEWhen the client receives this it will choose an authentication type and reply with:
IAC SB AUTHENTICATION IS authentication-type-pair auth-data IAC SEThe auth data may or may not be filled in at this point. This depends on the AUTH_WHO_MASK bit. On receipt of the IS command, the server will then respond with:
IAC SB AUTHENTICATION REPLY authentication-type-pair auth-data IAC SEOnly the server may use the REPLY sub-option and only the client may use the IS sub-option.
As many IS and REPLY sub-options may be exchanged as are required for the selected authentication type. The format of the auth-data must be defined for each particular authentication type. For example, RFC 1411 [15] defines the following sub-suboption commands for the Kerberos Version 4 authentication scheme: AUTH, REJECT, ACCEPT, CHALLENGE and RESPONSE. These commands are sent as the first byte of the auth-data field.