4-64 MAX 6000/3000 Network Configuration Guide
Configuring Individual WAN Connections
Configuring bidirectional CHAP support
For incoming calls, the MAX first challenges the caller for its username and password, then the
MAX compares the username and password to those in Connection profiles or RADIUS
profiles. A user can have either a Connection profile defined or a RADIUS profile defined, but
not both. For outgoing calls, the MAX dials the called device and it is the callers
responsibility to challenge the MAX for authentication.
Configuring bidirectional CHAP on the MAX unit
Set up the directional CHAP for all or selected incoming calls and for outgoing calls. For
authentication of incoming calls, the MAX sends its system name unless you specify a
different name.

Setting up bidirectional CHAP on the MAX unit for all incoming calls

Figure 4-9 shows a configuration in which a MAX unit and its dial-in clients authenticate each
other by means of bidirectional CHA P. One or more clients can dial into the MAX unit. The
MAX unit authenticates the calling device by means of a Connection profile, and each dial-in
client authenticates the MAX unit by means of the Send PW value.
Figure 4-9. Bidirectional CHAP for all incoming calls to the MAX unit
To configure bidirectional CHAP on the MAX unit for all incoming calls, proceed as follows:
1Open the Ethernet > Answer > PPP Options submenu.
2Set the Receive Auth parameter to Either, CHAP, or MS-CHAP.
3Set the Bi-Dir Auth parameter to Required or Allowed. Required specifies that
bidirectional authentication must be carried out or the call is dropped. Allowed specifies
that authentication can be bidirectional. The MAX unit identifies the calling device, and
the calling device can identify the MAX unit, but the calling device need not do so for the
call to be accepted.
4Exit the profile and, at the exit prompt, select the exit and accept option.
5For each incoming call, open a Ethernet > Connections > Connection profile > Encaps
Options subprofile.
6Set the Send PW parameter to any text string. The password you specify is the one sent to
the calling unit during the authentication initiated by the calling unit.
7Set the Recv PW parameter to any text string. The password you specify is the one sent by
the calling unit during the authentication initiated by the MAX unit.
8Exit the profile and, at the exit prompt, select the exit and accept option.
Note: When you set the Recv-Auth parameter to Any, the MAX unit can accept both P AP and
CHAP authentication. The Bi-Dir Auth setting will be used only if a form of CHAP
authentication has been negotiated during LCP negotiation. If any form of PAP authentication
WAN Pipeline unit
MAX unit
Dial-in clients
Send PW sent
Recv PW sent