ADTRAN 1000R Series

Command Reference Guide Demand Interface Configuration Command Set

Several examp le sce na r ios ar e giv en below fo r c lar ity.

Configuring PAP Example 1: Only the local router requires the peer to authenticate itself.

On the local router (hostn ame Local):

Local(config-demand 1)#ppp authentication pap

Local(config-demand 1)#username far end password same

On the peer (hostname Peer):

Peer(config-demand 1)#ppp pap sent-username farend password same

The first line of the configuration sets the authentication mode as PAP. This means the peer is required to

authenticate itself to the local router via PAP. The second line is the username and password expected to

be sent from the peer. On the peer, the ppp pap sent-username command is used to specify the

appropriate matching us er na m e an d password.

Configuring PAP Example 2: Both routers require the peer to authenticate itself.

On the local router (hostn ame Local):

Local(config-demand 1)#ppp authentication pap

Local(config-demand 1)#username farend p assword far

Local(config-demand 1)#ppp pap sent-username nearend password near

On the peer (hostname Peer):

Peer(config-demand 1)#ppp authentication pap

Peer(config-demand 1)#username nearen d password near

Peer(config-demand 1)#ppp pap sent-username farend password fa r

Now both routers send the authen tication request, verify that the username and password sent match what

is expected in the database, and send an authentication acknowledge.

Defining CHAP

The Challenge-Handshake Authentication Protocol (CHAP) is a three-way authentication protocol

composed of a challenge response and success or failure. The MD5 protocol is used to protect usernames

and passwords in the response.

First, the local router (r equiring its peer to be authenticated) sends a "challenge" cont aining only its own

unencrypted usern ame to the peer . The peer then looks up the username in the username dat abase within

the PPP interface, and if found takes the corresponding password and its own hostname and sends a

“response” back to the loca l router. This data is encrypted. The local router ver ifie s that the user nam e and

password are in its own username data base within the PPP interface, and if so sends a "success" ba ck to

the peer.

The PPP username and password database is separate and distinct from the global

username password database. For PAP and CHAP, use the database under the PPP

interface configuration.