USER’S GUIDE

PAP

CHAP

Bridge MAC

Calling Line Id

Authentication

Authentication

Address

Authentication

 

 

Authentication

 

Yes

No

No

Optional

 

 

 

Duplicates allowed for

 

 

 

these Devices.

No

Yes

No

Optional

 

 

 

Duplicates allowed for

 

 

 

these Devices.

No

No

Yes

Optional

 

 

 

Duplicates allowed for

 

 

 

these Devices.

No

No

No

Required

 

 

 

Duplicates not allowed.

Note: If a system is brought on line with a device that has a required Calling Line Id that is a duplicate of another device’s Calling Line Id, and no other type of authentication is used, a warning message is logged at initialization. Every attempt to connect the device thereafter will result in an error message being logged and the call being rejected.

PAP PASSWORD SECURITY

PAP Security provides a method for the Device to identify itself to the system using a 2-way handshake. If PAP Password Security is enabled, and a PAP Password has been configured for the Device, the following holds true:

After the initial connection is made, the Device Name and Password are repeatedly sent by the remote device to the system. The system will look up the received Device Name in the Device List.

If the Device Name is not found, the call is disconnected.

If the Device Name is found the system will validate the password.

If the password does not match, the call will be disconnected.

If PAP Password Security is enabled, and a PAP Password has not been configured for the De- vice, Password validation is not performed.

CHAP CHALLENGE SECURITY

An authentication phase between the remote device and the system begins with sending a CHAP challenge request to the remote device. The CHAP request contains a string of bytes known as the challenge value, which is changed on each challenge. Using the hash algorithm associated with CHAP, the remote device transforms the challenge value plus its secret into a response value. The remote device sends this output of the hash function, along with its symbolic name, to the system in a CHAP response.

Within the Device Table entry for each remote device which will be authenticated via CHAP, the system maintains the remote device’s secret. The name in the remote device’s CHAP response is used to locate the Device Table entry, and consequently the secret used by the remote device. Using the same hash function, the system computes the expected response value for the challenge with that secret. If this matches the response value sent by the remote device, a successful authentication has occurred. The system can optionally be configured to repeat the CHAP challenge process periodically throughout the life of the connection. An invalid response to a CHAP challenge at any time is deemed a security violation, which causes a switched link to be released.

176 CyberSWITCH

Page 176
Image 176
Enterasys Networks CSX7000, CSX5500, CSX6000 manual PAP Chap, Bridge MAC Calling Line Id Authentication Address