Filter
Top Products
There are different authentication protocols in use: Password Authentication
Protocol (PAP) and Challenge/Handshake Authentication Protocol (CHAP).
Microsoft PPP CHAP (MS-CHAP) is also available to authenticate Windows
workstations and peer routers. PAP and CHAP are described in detail in RFC 1334,
and briefly described later in this section. MS-CHAP is described in RFC 1994.
On remote dial-in access ports, a third authentication protocol is available. This is
Shiva Password Authentication Protocol (SPAP), which is a Shiva proprietary
protocol. See “Shiva Password Authentication Protocol (SPAP)” on page 457 for
more information.
Whether a box requires the other end to authenticate itself (and if so, with what
protocol) is determined during the LCP negotiation phase. Authentication could be
considered to “fail” even at the link establishment phase (LCP negotiation), if one
end does not know how, or refuses to use, the authentication protocol the other end
requires.
Each end of a link sets its own requirements for how it wants the other end to
authenticate itself. For example, given two routers “A” and “B”, connected over a
PPP link, side A may require that B authenticate itself to A using PAP, and side B
may require that A similarly identify itself using CHAP. It is valid for one end to
require authentication while the other end requires none.
In addition to initial authentication during link establishment, with some protocols an
authenticator may demand that the peer reestablish its credentials periodically. With
CHAP, for example, a rechallenge may be issued at any time by the authenticator
and the peer must successfully reply - or lose the link.
If more than one authentication protocol is enabled on a link, the router initially
attempts to use them in the following priority order:
1. MS-CHAP
2. CHAP
3. PAP
4. SPAP
Note: SPAP is only available on interfaces that have IBM DIALs Dial-In circuits
configured.
If the remote side responds to the authentication request with NAK and suggests an
alternative, the router uses the alternative, provided that it is enabled on the link. If
the remote side continues responding to the router’s suggestions with NAK but
does not provide an alternative that the router has enabled, the link is terminated.
Password Authentication Protocol (PAP)
The Password Authentication Protocol (PAP) provides a simple method for the peer
to establish its identity using a two-way handshake. This is done only upon initial
link establishment. Following link establishment, the peer sends an ID/Password
pair to the authenticator until authentication is acknowledged or the connection is
terminated. Passwords are sent over the circuit “in the clear,” and there is no
protection from playback or repeated trial and error attacks. The peer controls the
frequency and timing of the attempts.
Using PPP
456
MRS V3.2 Software User’s Guide
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|