CONFIGURING SYSTEM OPTIONS AND INFORMATION

System Options

The above process applies to the system’s authentication of the remote device. It is also possible that the remote device may wish to authenticate the system itself, a desire that is also negotiated during the LCP initialization of the link. Enabling CHAP via configuration also permits the system to agree to be authenticated via CHAP during LCP negotiation. In the same manner that each remote device has a name and secret, the system itself is configured with a system-wide name and secret that are used to respond to CHAP challenges.

Note: When both CHAP and PAP are enabled, the system will request the CHAP protocol first. If the remote device agrees to CHAP, then the secret that is configured for the device must match the one that the remote device uses. If the remote device agrees to PAP then the passwords must match. If only one of either PAP or CHAP is enabled, the system will insist on that protocol only. If the remote device does not support the enabled protocol, the device will not be allowed

BRIDGE MAC ADDRESS SECURITY

If bridging is enabled, you have the option of enabling Bridge Ethernet Address Security. Bridge MAC Address Security may also be enabled if IP routing through a Virtual WAN interface is enabled. This security option allows you to configure specific Bridge Ethernet Addresses and an optional password on a per device basis. When Bridge Ethernet Address security is enabled, the System will look up the received Ethernet address in the Device List. If the address is not found, the call is disconnected. If the address is found and the corresponding device entry is configured with a password, the System will validate the password. If the password is not valid, the call will be disconnected.

IP HOST ID SECURITY

To enable IP Host Id Security, you must first enable IP routing. IP Host Id Security provides added security through device validation. At connection establishment time, the Device sends an unencrypted IP Host identifier over the WAN to the System. The System looks up the Device based on the received IP Host identifier. If the identifier is found in the Device List, the call is accepted. Otherwise the call is disconnected.

SYSTEM OPTIONS BACKGROUND INFORMATION

When a remote device connects, the CyberSWITCH negotiates the required authentication. In order for the remote device to be properly authenticated, the CyberSWITCH must have the appropriate authentication enabled. If the CyberSWITCH does not have the authentication required by the remote device enabled, the remote device will not be authenticated and the call will be disconnected.

The possible security options that can be enabled include:

Calling Line Id

IP Host Id

Bridge Ethernet Address

PAP

CHAP

Central Site Remote Access Switch 177

Page 177
Image 177
Enterasys Networks CSX5500, CSX6000, CSX7000 manual System Options Background Information, PAP Chap