AIS AI2524 Enable PPP Encapsulation , Enable CHAP or PAP Authentication

Chapter 11: AI2524 Sync PPP Configuration Steps

August 1997 Page 11-3

2524UM

Enable PPP

Encapsulation You can enable PPP on serial lines to encapsulate IP and other network

protocol datagrams in interface configurat ion mode:

encapsulation ppp

PPP echo requests are used as keepalives to minimize disruptions to

the end users of your network. The no keepalive command can be

used to disable echo requests.

Enable CHAP or PAP Authentication

The Point-to-Point Protocol (PPP) with Challenge Handshake Authen-

tication Protocol (CHAP) authentication or Password Authentication

Protocol (PAP) is often used to inform the central site about which re-

mote routers are connected to it.

With this authentication information, if the router or access server re-

ceives another packet for a destination to which it is already con-

nected, it does not place an additional call. However, if the router or

access server is using rotaries, it sends the packet out the correct port.

CHAP and PAP are specified in RFC 1334. These protocols are sup

ported on synchronous and asynchronous serial interfaces. When

using CHAP or PAP authenticatio n, each router or access server iden-

tifies itself by a name. This identification process prevents a route

from placing another call to a router to which it is already connected

and prevents unauthorized access.

Access control using CHAP or PAP is available on all seri al i nterfaces

that use PPP encapsulation. T he authentication feature reduces the risk

of security violations on your router or access server. You can config-

ure either CHAP or PAP for the interface.

Note: To use CHAP or PAP, you must be running PPP

encapsulation.

When CHAP is enabled on an inte rfa ce and a remote device attempts

to connect to it, the local router or access server sends a CHAP packet

to the remote device. The CHAP packet requests or challenges the re-

mote device to respond. The challenge packet c onsist s of an ID, a ran-

dom number, and the host name of the local router.

The required response consists of two parts:

zAn encrypted version of the ID, a secret pa s sword (or secret), and

the random number

zEither the host name of the remote device or the name of the user

on the remote device

When the local router or access server receives th e response, it verifies

the secret by performing the s ame encryption operation as indicated in