Using PPP

 

There are different authentication protocols in use: Password Authentication

Protocol (PAP) and Challenge/Handshake Authentication Protocol (CHAP).

Microsoft PPP CHAP (MS-CHAP) is also available to authenticate Windows

workstations and peer routers. PAP and CHAP are described in detail in RFC 1334,

and brie¯y described later in this section. MS-CHAP is described in RFC 1994.

 

On remote dial-in access ports, a third authentication protocol is available. This is

 

Shiva Password Authentication Protocol (SPAP), which is a Shiva proprietary

 

protocol. See ªShiva Password Authentication Protocol (SPAP)º on page 457 for

 

more information.

 

Whether a box requires the other end to authenticate itself (and if so, with what

 

protocol) is determined during the LCP negotiation phase. Authentication could be

 

considered to ªfailº even at the link establishment phase (LCP negotiation), if one

 

end does not know how, or refuses to use, the authentication protocol the other end

 

requires.

 

Each end of a link sets its own requirements for how it wants the other end to

 

authenticate itself. For example, given two routers ªAº and ªBº, connected over a

 

PPP link, side A may require that B authenticate itself to A using PAP, and side B

 

may require that A similarly identify itself using CHAP. It is valid for one end to

 

require authentication while the other end requires none.

 

In addition to initial authentication during link establishment, with some protocols an

 

authenticator may demand that the peer reestablish its credentials periodically. With

 

CHAP, for example, a rechallenge may be issued at any time by the authenticator

 

and the peer must successfully reply - or lose the link.

If more than one authentication protocol is enabled on a link, the router initially

attempts to use them in the following priority order:

1.

MS-CHAP

2.

CHAP

3.

PAP

4.

SPAP

 

Note: SPAP is only available on interfaces that have IBM DIALs Dial-In circuits

 

con®gured.

If the remote side responds to the authentication request with NAK and suggests an

alternative, the router uses the alternative, provided that it is enabled on the link. If

the remote side continues responding to the router's suggestions with NAK but

does not provide an alternative that the router has enabled, the link is terminated.

Password Authentication Protocol (PAP)

The Password Authentication Protocol (PAP) provides a simple method for the peer to establish its identity using a two-way handshake. This is done only upon initial link establishment. Following link establishment, the peer sends an ID/Password pair to the authenticator until authentication is acknowledged or the connection is terminated. Passwords are sent over the circuit ªin the clear,º and there is no protection from playback or repeated trial and error attacks. The peer controls the frequency and timing of the attempts.

456MRS V3.2 Software User's Guide

Page 492
Image 492
IBM SC30-3681-08 manual Password Authentication Protocol PAP