ADC Telecommunications, Inc.
138 CHAPTER 7: PACKET OVER SONET ADMINISTRATION
Configuring PPP SecurityChallenge Handshake Authentication Protocol (CHAP) and Password
Authentication Protocol (PAP) provide authentication mechanisms that serve
to identify the peers that want to establish point-to-point connections. Using
both CHAP and PAP, the device must provide a known username and
password to the POS interface with which it wants to establish a PPP
connection.
CHAP is more secure than PAP. CHAP clients respond to challenges with an
encrypted version of the password; PAP sends unencrypted straight text ove r
the network. In addition, CHAP calls for both endpoints to perform a
computation to arrive at a secret string; PAP does not. You can configure the
POS interface to attempt authentication using one protocol, and if refused,
attempt authorization with the other.
SONET connections are provisioned as point-to-point circuits. The connection
is initiated by one peer — the caller — into an adjacent peer — the callee.
The caller is referred to as the client; and the callee is referred to as the
server. Each CHAP and PAP must be enabled at both endpoints of a
point-to-point connection and configured to operate in both client and
server mode, as described in the following sections.
Both CHAP and PAP are specified in RFC 1334.
Configuring Client-Side Security Parameters
When initiating a point-to-point connection, the POS interface acts as a
client and calls into a remote end-point, which functions as a PPP server. If
PAP, CHAP, or both forms of authentication are enabled on the server, then
the same authentication protocols must be enabled on the POS interface.
The POS interface, acting as a client, must provide the remote server with the
correct username and password. If the interface fails to provide the correct
information, the remote device will not allow it to call in and establish a
connection.
You can enable CHAP and PAP client-side authentication and configure the
security information — username and password — that the POS interface
sends to a PPP server when initiating a point-to-point connection.