System Administration Guide: Resource Management and Network Services

Chapter 36 Solaris PPP 4.0 Reference

This chapter provides detailed conceptual information about Solaris PPP 4.0. Topics include the following:

Using PPP Options in Files and on the Command Line

Solaris PPP 4.0 contains a large set of options, which you use to define your PPP configuration. You use these options in the PPP configuration files, or on the command line, or by using a combination of files and command-line options. This section contains detailed information about the use of PPP options in configuration files and as arguments to PPP commands.

Where to Define PPP Options

Solaris PPP 4.0 is very flexible in the manner in which you can configure it. You can define PPP options in the following places:

The next table lists the PPP configuration files and commands.

Table 36–1 Summary of PPP Configuration Files and Commands

File or Command  

Definition 

For Information 

/etc/ppp/options

File that contains characteristics that apply by default to all PPP links on the system, for example, whether the machine requires peers to authenticate themselves. If this file is absent, non-root users are prohibited from using PPP. 

/etc/ppp/options Configuration File

/etc/ppp/options.ttyname

File that describes the characteristics of all communications over the serial port ttyname.

/etc/ppp/options.ttyname Configuration File

/etc/ppp/peers

Directory that usually contains information about peers with which a dial-out machine connects. Files in this directory are used with the call option of the pppd command.

Specifying Information for Communicating With the Dial-in Server

/etc/ppp/peers/peer-name

File that contains characteristics of the remote peer peer-name, such as its phone number and chat script for negotiating the link with the peer.

/etc/ppp/peers/peer-name File

/etc/ppp/pap-secrets

File that contains the necessary security credentials for Password Authentication Protocol (PAP) authentication. 

/etc/ppp/pap-secrets File

/etc/ppp/chap-secrets

File that contains the necessary security credentials for Challenge-Handshake Authentication Protocol (CHAP) authentication. 

/etc/ppp/chap-secrets File

~/.ppprc

File in the home directory of a PPP user, most often used with dial-in servers. This file contains specific information about each user's configuration. 

Configuring User-Specific Options

pppd options

Command and options for initiating a PPP link and describing its characteristics. 

How PPP Options Are Processed

Refer to the pppd(1M) man page for details on the PPP files and comprehensive descriptions of all options available to the pppd command. Sample templates for all the PPP configuration files are available in /etc/ppp.

How PPP Options Are Processed

All Solaris PPP 4.0 operations are handled by the pppd daemon, which starts when a user runs the pppd command. When a user calls a remote peer, the following occurs:

  1. The pppd daemon parses the following:

    • /etc/ppp/options

    • $HOME/.ppprc

    • Any files that are opened by the file or call option in /etc/ppp/options and $HOME/.ppprc

  2. pppd scans the command line to determine the device in use. The daemon does not yet interpret any options that are encountered.

  3. pppd tries to discover the serial device to use by using the following criteria:

    1. If a serial device is specified on the command line, or a previously processed configuration file, pppd uses the name of that device.

    2. If no serial device is named, then pppd searches for the notty, pty, or socket option on the command line. If one of these options is specified, pppd assumes that no device name exists.

    3. Otherwise, if pppd discovers that standard input is attached to a tty, then the name of the tty is used.

    4. If pppd still cannot find a serial device, it terminates the connection and issues an error.

  4. pppd then checks for the existence of the /etc/ppp/options.ttyname file. If the file is found, pppd parses the file.

  5. pppd processes any options on the command line.

  6. pppd negotiates the Link Control Protocol (LCP) to set up the link.

  7. (Optional) If authentication is required, pppd reads /etc/ppp/pap-secrets or /etc/ppp/chap-secrets to authenticate the opposite peer.

The file /etc/ppp/peers/peer-name is read when the pppd daemon encounters the option call peer-name on the command line or in the other configuration files.

How PPP Configuration File Privileges Work

Solaris PPP 4.0 configuration includes the concept of privileges. Privileges determine the precedence of configuration options, particularly when the same option is invoked in more than one place. An option that is invoked from a privileged source takes precedence over the same option that is invoked from a non-privileged source.

User Privileges

The only privileged user is superuser (root), with the UID of zero. All other users are not privileged.

File Privileges

The following are privileged configuration files regardless of their ownership:

The file $HOME/.ppprc is owned by the user. Options read from $HOME/.ppprc and from the command line are privileged only if the user who is invoking pppd is root.

Arguments that follow the file option are privileged.

Effects of Option Privileges

Some options require the invoking user or source to be privileged in order to work. Options that are invoked on the command line are assigned the privileges of the user who is running the pppd command. These options are not privileged unless the user who is invoking pppd is root.

Option 

Status 

Explanation 

domain

Privileged 

Requires privileges for use. 

linkname

Privileged 

Requires privileges for use. 

noauth

Privileged 

Requires privileges for use. 

nopam

Privileged 

Requires privileges for use. 

pam

Privileged 

Requires privileges for use. 

plugin

Privileged 

Requires privileges for use. 

privgroup

Privileged 

Requires privileges for use. 

allow-ip addresses

Privileged 

Requires privileges for use. 

name hostname

Privileged 

Requires privileges for use. 

plink

Privileged 

Requires privileges for use. 

noplink

Privileged 

Requires privileges for use. 

plumbed

Privileged 

Requires privileges for use. 

proxyarp

Becomes privileged if noproxyarp has been specified

Cannot be overridden by an unprivileged use. 

defaultroute

Privileged if nodefaultroute is set in a privileged file or by a privileged user

Cannot be overridden by an unprivileged user. 

disconnect

Privileged if set in a privileged file or by a privileged user 

Cannot be overridden by an unprivileged user. 

bsdcomp

Privileged if set in a privileged file or by a privileged user 

The non-privileged user cannot specify a code size larger than the privileged user has specified. 

deflate

Privileged if set in a privileged file or by a privileged user 

The non-privileged user cannot specify a code size larger than the privileged user has specified. 

connect

Privileged if set in a privileged file or by a privileged user 

Cannot be overridden by an unprivileged user. 

init

Privileged if set in a privileged file or by a privileged user 

Cannot be overridden by an unprivileged user. 

pty

Privileged if set in a privileged file or by a privileged user 

Cannot be overridden by an unprivileged user. 

welcome

Privileged if set in a privileged file or by a privileged user 

Cannot be overridden by an unprivileged user. 

ttyname

Privileged if set in a privileged file 

 

Not privileged if set in a non-privileged file 

Opened with root permissions regardless of who invokes pppd.

 

Opened with the privileges of the user who invokes pppd.

/etc/ppp/options Configuration File

You use the /etc/ppp/options file to define global options for all PPP communications on the local machine. /etc/ppp/options is a privileged file. /etc/ppp/options should be owned by root, although pppd does not enforce this rule. Options that you define in /etc/ppp/options have precedence over definitions of the same options in all other files and the command line.

Typical options that you might use in /etc/ppp/options include the following:


Note –

The Solaris PPP 4.0 software does not include a default /etc/ppp/options file. pppd does not require the /etc/ppp/options file to work. But be aware that if a machine does not have an /etc/ppp/options file, only root can run pppd on that machine.


You must create /etc/ppp/options by using a text editor, as shown in How to Define Communications Over the Serial Line. If a machine does not require global options, you can create an empty /etc/ppp/options file. Then both root and regular users can run pppd on the local machine.

/etc/ppp/options.tmpl Template

The /etc/ppp/options.tmpl contains helpful comments about the /etc/ppp/options file plus three common options for the global /etc/ppp/options file.


lock
nodefaultroute
noproxyarp

Option 

Definition 

lock

Enables UUCP-style file locking 

nodefaultroute

Specifies that no default route is defined 

noproxyarp

Disallows proxyarp

To use /etc/ppp/options.tmpl as the global options file, rename /etc/ppp/options.tmpl to /etc/ppp/options. Then modify the file contents as needed by your site.

Where to Find Sample /etc/ppp/options Files

Table 36–2 Examples of the /etc/ppp/options File

Example /etc/ppp/options

For Instructions 

For a dial-out machine 

How to Define Communications Over the Serial Line

For a dial-in server 

How to Define Communications Over the Serial Line (Dial-in Server)

For PAP support on a dial-in server 

How to Add PAP Support to the PPP Configuration Files (Dial-in Server)

For PAP support on a dial-out machine 

How to Add PAP Support to the PPP Configuration Files (Dial-out Machine)

For CHAP support on a dial-in server 

How to Add CHAP Support to the PPP Configuration Files (Dial-in Server)

/etc/ppp/options.ttyname Configuration File

You can configure the characteristics of communications on the serial line in the /etc/ppp/options.ttyname file. /etc/ppp/options.ttyname is a privileged file that is read by pppd after parsing the /etc/ppp/options and $HOME/.ppprc files, if they exist. Otherwise, pppd reads /etc/ppp/options.ttyname after parsing /etc/ppp/options.

ttyname is used for both dial-up and leased-line links. ttyname represents a particular serial port on a machine, such as cua/a or cua/b, where a modem or ISDN TA might be attached.

When naming the /etc/ppp/options.ttyname file, replace the slash (/) in the device name with a dot (.) . For example, the options file for device cua/b should be named /etc/ppp/options.cua.b.


Note –

Solaris PPP 4.0 does not require an /etc/ppp/options.ttyname file to work correctly. If the server only has one serial line for PPP and requires few options, you can specify these options in another configuration file or on the command line.


Using /etc/ppp/options.ttyname on a Dial-in Server

For a dial-up link, you might choose to create individual /etc/ppp/options.ttyname files for every serial port on a dial-in server with a modem attached. Typical options include the following:

Using /etc/ppp/options.ttyname on a Dial-out Machine

For a dial-out machine, you can create an /etc/ppp/options.ttyname file for the serial port with the modem, or elect not to use /etc/ppp/options.ttyname.


Note –

Solaris PPP 4.0 does not require an /etc/ppp/options.ttyname file to work correctly. If the dial-out machine only has one serial line for PPP and requires few options, you can specify these options in another configuration file or on the command line.


options.ttya.tmpl Template File

The /etc/ppp/options.ttya.tmpl file contains helpful comments about the /etc/ppp/options.tty-name file. The template contains three common options for the /etc/ppp/options.tty-name file.


38400 
asyncmap 0xa0000 
:192.168.1.1 

Option 

Definition 

38400

Use this baud rate for port ttya. 

asyncmap 0xa0000

Assign the asyncmap value of 0xa0000 so that the local machine can communicate with broken peers. 

:192.168.1.1  

Assign the IP address 192.168.1.1 to all peers that are calling in over the link. 

To use /etc/ppp/options.ttya.tmpl at your site, rename /etc/ppp/options.tmpl to /etc/ppp/options.ttya-name. Replace ttya-name with the name of the serial port with the modem. Then modify the file contents as needed by your site.

Where to Find Sample /etc/ppp/options.ttyname Files

Table 36–3 Examples of the /etc/ppp/options.ttyname File

Example /etc/ppp/options.ttyname

For Instructions 

For a dial-out machine 

How to Define Communications Over the Serial Line

For a dial-in server 

How to Define Communications Over the Serial Line (Dial-in Server)

Configuring User-Specific Options

This section contains detailed information on setting up users on the dial-in server.

Configuring $HOME/.ppprc on a Dial-in Server

The $HOME/.ppprc file is intended for users who are configuring preferred PPP options. As administrator, you can also configure $HOME/.ppprc for users.

The options in $HOME/.ppprc are privileged only when the user who is invoking the file is privileged.

When a caller uses the pppd command to initiate a call, the .ppprc file is the second file that is checked by the pppd daemon.

See Setting Up Users of the Dial-in Server for instructions on setting up $HOME/.ppprc on the dial-in server.

Configuring $HOME/.ppprc on a Dial-out Machine


Note –

The $HOME/.ppprc is not needed on the dial-out machine for Solaris PPP 4.0 to work correctly.


You do not need to have a $HOME/.ppprc on a dial-out machine, except for special circumstances. Create one or more .ppprc files if you do the following:

Because the .ppprc file is most often used when configuring a dial-in server, refer to How to Configure Users of the Dial-in Server for configuration instructions for .ppprc.

Specifying Information for Communicating With the Dial-in Server

To communicate with a dial-in server, you need to gather information about the server and edit a few files. Most significantly, you must configure the communications requirements of all dial-in servers that the dial-out machine needs to call. You can specify options about a dial-in server, such as an ISP phone number, in the /etc/ppp/options.ttyname file. However, the optimum place to configure peer information is in /etc/ppp/peers/peer-name files.

/etc/ppp/peers/peer-name File


Note –

The /etc/ppp/peers/peer-name file is not needed on the dial-out machine for Solaris PPP 4.0 to work correctly.


Use the /etc/ppp/peers/peer-name file to provide information for communicating with a particular peer. /etc/ppp/peers/peer-name allows ordinary users to invoke preselected privileged options that they are not allowed to set.

For example, a non-privileged user cannot override the noauth option if it is specified in the /etc/ppp/peers/peer-name file. Suppose the user wants to set up a link to peerB, which does not provide authentication credentials. As superuser, you can create a /etc/ppp/peers/peerB file that includes the noauth option. noauth indicates that the local machine does not authenticate calls from peerB.

The pppd daemon reads /etc/ppp/peers/peer-name when it encounters the following option:


call  peer-name

You can create a /etc/ppp/peers/peer-name file for each target peer with which the dial-out machine needs to communicate. This practice is particularly convenient for permitting ordinary users to invoke special dial-out links without needing root privileges.

Typical options that you specify in /etc/ppp/peers/peer-name include the following:

See the pppd(1M) ) man page for more options that might apply to a specific target peer.

/etc/ppp/peers/myisp.tmpl Template File

The /etc/ppp/peers/myisp.tmpl file contains helpful comments about the /etc/ppp/peers/peer-name file. The template concludes with common options such as you would use for an /etc/ppp/peers/peer-name file:


connect "/usr/bin/chat -f /etc/ppp/myisp-chat" 
user myname             
remotename myisp        
noauth                 
noipdefault             
defaultroute            
updetach                
noccp                   

Option 

Definition 

connect "/usr/bin/chat -f /etc/ppp/myisp-chat"

Call the peer by using the chat script /etc/ppp/myisp-chat.

user myname

Use this account name for the local machine. myname is the name for this machine in the peer's /etc/ppp/pap-secrets file.

remotename myisp

Recognize myisp as the name of the peer in the local machine's /etc/ppp/pap-secrets file.

noauth

Do not require calling peers to provide authentication credentials. 

noipdefault

Do not use a default IP address for the local machine. 

defaultroute

Use the default route that is assigned to the local machine. 

updetach

Log errors in the PPP log files, rather than on the standard output.

noccp

Do not use CCP compression. 

To use /etc/ppp/peers/myisp.tmpl at your site, rename /etc/ppp/peers/myisp.tmpl to /etc/ppp/peers/.peer-name. Replace peer-name with the name of the peer to be called. Then modify the file contents as needed by your site.

Where to Find Sample /etc/ppp/peers/peer-name Files

Table 36–4 Examples of /etc/ppp/peers/peer-name Files

Example /etc/ppp/peers/peer-name

For Instructions 

For a dial-out machine 

How to Define the Connection With an Individual Peer

For a local machine on a leased line 

How to Configure a Machine on a Leased Line

To support PAP authentication on a dial-out machine 

How to Add PAP Support to the PPP Configuration Files (Dial-out Machine)

To support CHAP authentication on a dial-out machine 

How to Add CHAP Support to the PPP Configuration Files (Dial-out Machine)

To support PPPoE on a client system 

Setting Up the PPPoE Client

Configuring Modems for a Dial-up Link

This section contains information about configuring modems.

Configuring the Modem Speed

A major issue in modem configuration is designating the speed at which the modem should operate. The following guidelines apply to modems that are used with Sun Microsystems computers:

For a dial-out machine, set the modem speed in the PPP configuration files, such as /etc/ppp/peers/peer-name, or by specifying the speed as an option for pppd.

For a dial-in server, you need to set the speed by using the ttymon facility or admintool, as described in Configuring Devices on the Dial-in Server.

Defining the Conversation on the Dial-up Link

The dial-out machine and its remote peer communicate across the PPP link by negotiating and exchanging various instructions. When configuring a dial-out machine, you need to determine what instructions are required by the local and remote modems. Then you create a file that is called a chat script that contains these instructions. This section discusses information about configuring modems and creating chat scripts.

Contents of the Chat Script

Each remote peer that the dial-out machine needs to connect to probably requires its own chat script.


Note –

Chat scripts are typically used only on dial-up links. Leased-line links do not use chat scripts unless an asynchronous interface is used that requires startup configuration.


The contents of the chat script are determined by the requirements of your modem model or ISDN TA, and the remote peer. These contents appear as a set of expect-send strings that the dial-out machine and its remote peers exchange as part of the communications initiation process.

An expect string contains characters that the dial-out host machine expects to receive from the remote peer to initiate conversation. A send string contains characters that the dial-out machine sends to the remote peer after receiving the expect string.

Information in the chat script usually includes the following:

Chat Script Examples

This section contains chat scripts that you can use as a reference for creating your own chat scripts. The modem manufacturer's guide and information from your ISP and other target hosts contain chat requirements for the modem and your target peers. In addition, numerous PPP web sites have sample chat scripts.

Basic Modem Chat Script

The following is a basic chat script that you can use as a template for creating your own chat scripts.


ABORT   BUSY
ABORT   'NO CARRIER'
REPORT  CONNECT
TIMEOUT 10
"" AT&F1M0&M5S2=255
SAY     "Calling myserver\n"
TIMEOUT 60
OK      "ATDT1-123-555-1212"
ogin: pppuser
ssword: \q\U
% pppd
The next table describes the contents of the chat script.

Script Contents 

Explanation 

ABORT 'NO CARRIER'

Abort transmission if the modem reports ABORT 'NO CARRIER' when dialing. The cause for this message is usually a dialing or modem negotiation failure.

REPORT CONNECT

Gather the CONNECT string from the modem and print it out.

TIMEOUT 10

Set initial timeout to 10 seconds. The modem's response should be immediate. 

"" AT&F1M0&M5S2=255

M0 – Turn off the speaker during connect.

&M5 – Make the modem require error control.

S2=255 – Disable the TIES “+++” break sequence. 

SAY "Calling myserver\n"

Display the message “Calling myserver” on the local machine. 

TIMEOUT 60

Reset the timeout to 60 seconds to allow more time for link negotiation. 

OK "ATDT1-123-555-1212"

Call the remote peer by using the phone number 123-555-1212. 

ogin: pppuser

Log in to the peer by using UNIX-style login. Supply the user name pppuser.

ssword: \q\U

\q – Do not log if debugging with the –v option.

\U – Insert the contents of the string that follows –U, which is specified on the command line (usually the password) here.

% pppd

Wait for the % shell prompt, and run the pppd command.

/etc/ppp/myisp-chat.tmpl Chat Script Template

Solaris PPP 4.0 includes the /etc/ppp/myisp-chat.tmpl, which you can modify for use at your site. /etc/ppp/myisp-chat.tmpl is similar to the basic modem chat script except that it does not include a login sequence.


ABORT   BUSY
ABORT   'NO CARRIER'
REPORT  CONNECT
TIMEOUT 10
""      "AT&F1"
OK      "AT&C1&D2"
SAY     "Calling myisp\n"
TIMEOUT 60
OK      "ATDT1-123-555-1212"
CONNECT \c

Script Contents 

Explanation 

ABORT BUSY

Abort transmission if the modem receives this message from the opposite peer. 

ABORT 'NO CARRIER

Abort transmission if the modem reports ABORT 'NO CARRIER' when dialing. The cause for this message is usually a dialing or modem negotiation failure.

REPORT CONNECT

Gather the CONNECT string from the modem and print it out.

TIMEOUT 10

Set initial timeout to 10 seconds. The modem's response should be immediate. 

"" "AT&F1"

Reset the modem to factory defaults. 

OK "AT&C1&D2"

Reset the modem so that, for &C1, DCD from the modem follows carrier. If the remote side hangs up the phone for some reason, then the DCD drops.  

For &D2, DTR high-to-low transition causes the modem to go on-hook (hang up). 

SAY "Calling myisp\n"

Display the message “Calling myisp” on the local machine. 

TIMEOUT 60

Reset the timeout to 60 seconds to allow more time for link negotiation. 

OK "ATDT1-123-555-1212"

Call the remote peer by using the phone number 123-555-1212. 

CONNECT \c

Wait for the CONNECT message from the opposite peer's modem.

Modem Chat Script for Calling an ISP

Use the next chat script as a template for calling an ISP from a dial-out machine with a US Robotics Courier modem.


ABORT   BUSY
ABORT   'NO CARRIER'
REPORT  CONNECT
TIMEOUT 10
"" AT&F1M0&M5S2=255
SAY     "Calling myisp\n"
TIMEOUT 60
OK      "ATDT1-123-555-1212"
CONNECT \c
\r \d\c
SAY "Connected; running PPP\n"

The following table describes the contents of the chat script.

Script Contents 

Explanation 

ABORT BUSY

Abort transmission if the modem receives this message from the opposite peer. 

ABORT 'NO CARRIER'

Abort transmission if the modem receives this message from the opposite peer. 

REPORT CONNECT

Gather the CONNECT string from the modem and print it out.

TIMEOUT 10

Set initial timeout to 10 seconds. The modem's response should be immediate. 

"" AT&F1M0M0M0M0&M5S2=255

M0 – Turn off the speaker during connect.

&M5 – Make the modem require error control.

S2=255 – Disable the TIES “+++” break sequence. 

SAY "Calling myisp\n"

Display the message “Calling myisp” on the local machine. 

TIMEOUT 60

Reset the timeout to 60 seconds to allow more time for link negotiation. 

OK "ATDT1-123-555-1212"

Call the remote peer by using the phone number 123-555-1212. 

CONNECT \c

Wait for the CONNECT message from the opposite peer's modem.

\r \d\c

Wait until the end of the CONNECT message. 

SAY "Connected; running PPP\n" 

Display the informative message "Connected; running PPP" on the local machine. 

Basic Chat Script Enhanced for a UNIX-Style Login

The next chat script is a basic script that is enhanced for calling a remote Solaris peer or other UNIX-type peer. This chat script is used in How to Create the Instructions for Calling a Peer.


        SAY "Calling the peer\n"
        TIMEOUT 10
        ABORT BUSY
        ABORT 'NO CARRIER'
        ABORT ERROR
        REPORT CONNECT
        "" AT&F1&M5S2=255
        TIMEOUT 60
        OK ATDT1-123-555-1234
        CONNECT \c
        SAY "Connected; logging in.\n"
        TIMEOUT 5
        ogin:--ogin: pppuser
        TIMEOUT 20
        ABORT 'ogin incorrect'
        ssword: \qmypassword
        "% " \c
        SAY "Logged in.  Starting PPP on peer system.\n" 
        ABORT 'not found'
        "" "exec pppd"
        ~ \c
The following table explains the parameters of the chat script.

Script Contents 

Explanation 

TIMEOUT 10

Set initial timeout to 10 seconds. The modem's response should be immediate. 

ABORT BUSY

Abort transmission if the modem receives this message from the opposite peer. 

ABORT 'NO CARRIER'

Abort transmission if the modem receives this message from the opposite peer. 

ABORT ERROR

Abort transmission if the modem receives this message from the opposite peer. 

REPORT CONNECT

Gather the CONNECT string from the modem and print it out.

"" AT&F1&M5S2=255

&M5 – Make the modem require error control.

S2=255 – Disable the TIES “+++” break sequence. 

TIMEOUT 60

Reset the timeout to 60 seconds to allow more time for link negotiation. 

OK ATDT1-123-555-1234

Call the remote peer by using the phone number 123-555-1212.

CONNECT \c

Wait for the CONNECT message from the opposite peer's modem.

SAY "Connected; logging in.\n"

Display the informative message “Connected; logging in,” to give the user status. 

TIMEOUT 5

Change the timeout to enable quick display of the login prompt. 

ogin:--ogin: pppuser

Wait for the login prompt. If it is not received, send a RETURN and wait. Then send the user name pppuser to the peer. The sequence that follows is referred to by most ISPs as the PAP login, though it is not related in any way to PAP authentication.

TIMEOUT 20

Change the timeout to 20 seconds to allow for slow password verification. 

ssword: \qmysecrethere

Wait for the password prompt from the peer. When the prompt is received, send the password \qmysecrethere. The \q prevents the password from being written to the system log files.

"% " \c

Wait for a shell prompt from the peer. The chat script uses the C shell. Change this value if the user prefers to log in with a different shell. 

SAY "Logged in. Starting PPP on peer system.\n"

Display the informative message “Logged in. Starting PPP on peer system” to give the user status. 

ABORT 'not found'

Abort the transmission if the shell encounters errors. 

"" "exec pppd"

Start pppd on the peer.

~ \c

Wait for PPP to start on the peer. 

Starting PPP right after the CONNECT \c is often called a PAP login by ISPs, though the PAP login is actually not part of PAP authentication.

The phrase ogin:--ogin: pppuser instructs the modem to send the user name, in this example pppuser, in response to the login prompt that is received from the dial-in server. pppuser is a special PPP user account name that was created for remote user1 on the dial-in server. For instructions on creating PPP user accounts on a dial-in server, refer to How to Configure Users of the Dial-in Server.

Chat Script for External ISDN TA

The following chat script is for calling from a dial-out machine with a ZyXEL omni.net. ISDN TA.


        SAY "Calling the peer\n"
        TIMEOUT 10
        ABORT BUSY
        ABORT 'NO CARRIER'
        ABORT ERROR
        REPORT CONNECT
        "" AT&FB40S83.7=1&K44&J3X7S61.3=1S0=0S2=255
        OK ATDI18882638234
        CONNECT \c
       \r \d\c
        SAY "Connected; running PPP\n"

The following table explains the parameters of the chat script.

Script Contents 

Explanation 

SAY “Calling the peer”

Display this message on the screen of the dial-out machine. 

TIMEOUT 10

Set the initial timeout to 10 seconds. 

ABORT BUSY

Abort transmission if the modem receives this message from the opposite peer. 

ABORT 'NO CARRIER'

Abort transmission if the modem receives this message from the opposite peer. 

ABORT ERROR

Abort transmission if the modem receives this message from the opposite peer. 

REPORT CONNECT

Gather the CONNECT string from the modem and print it out.

""  

AT&FB40S83.7=

1&K44&J3X7S61.3=1

S0=0S2=255

The letters in this line have the following meaning:

  • &F – Use factory default

  • B40 – Do asynchronous PPP conversion

  • S83.7=1 – Use data over speech bearer

  • &K44 – Enable CCP compression

  • &J3 – Enable MP

  • X7 – Report DCE side rates

  • S61.3=1 – Use packet fragmentation

  • S0=0 – No auto answer

  • S2=255 – Disable TIES escape

OK ATDI18882638234

Make an ISDN call. For multi-link, the second call is placed to the same telephone number, which is normally what is required by most ISPs. If the remote peer requires a different second phone number, append “+nnnn” (nnnn represents the second phone number).

CONNECT \c

Wait for the CONNECT message from the opposite peer's modem.

\r \d\c 

Wait until the end of the CONNECT message.

SAY "Connected; running PPP\n"

Display this message on the screen of the dial-out machine. 

Refer to thechat(1M) man page for descriptions of options and other detailed information about the chat script. For an explanation of expect-send strings, refer to UUCP Chat Script Field.

For More Chat Script Examples

A number of web sites offer sample chat scripts and assistance in creating them.

The PPP Frequently Asked Questions (FAQ) available from Australian National University posts URL.

Invoking the Chat Script

You call chat scripts by using the connect option. You can use connect "chat ..." in any PPP configuration file or on the command line.

Chat scripts are not executable, but the program that is invoked by connect must be executable. If you use the chat utility as that program and store your chat script in an external file by using the –f option, then your chat script file is not executable.

The chat program that is described in chat(1m) executes the actual chat script. The pppd daemon invokes the chat program whenever pppd encounters the connect "chat ..." option.


Note –

You can use any external program, such as Perl or Tcl, to create advanced chat scripts. Solaris PPP 4.0 provides the chat utility as a convenience.


How to Invoke a Chat Script (Task)

  1. Create the chat script as an ASCII file.

  2. Invoke the chat script in any PPP configuration file by using the following syntax:


    connect 'chat  -f /etc/ppp/chatfile'

    The -f flag indicates that a file name is to follow. /etc/ppp/chatfile represents the name of the chat file.

  3. Give read permission for the external chat file to the user who will run the pppd command.


    Caution – Caution –

    The chat program always runs with the user's privileges, even if the connect 'chat ...' option is invoked from a privileged source. Thus, a separate chat file that is read with the -f option must be readable by the invoking user. This privilege can be a security problem if the chat script contains passwords or other sensitive information.


Chat Script in an External File

If the chat script that is needed for a particular peer is long or complicated, consider creating the script as a separate file. External chat files are easy to maintain and document. You can add comments to the chat file by preceding them with the hash (#) sign.

The procedure How to Create the Instructions for Calling a Peer shows the use of a chat script that is contained in an external file.

Inline Chat Script

You can place the entire chat script conversation on a single line, similar to the following:


connect 'chat "" "AT&F1" OK ATDT5551212 CONNECT "\c"'
The phrase that follows the chat keyword and terminates with “\c”` is the complete chat script. You use this form in any PPP configuration file or on the command line, as an argument to pppd.

Creating a Chat File That Is Executable

You can create a chat file that is an executable script to be run automatically when the dial-up link is initiated. Thus, you can run additional commands, such as stty for parity settings, besides those that are contained in a traditional chat script, during link initiation.

This executable chat script logs in to an old-style UNIX system that requires 7 bits/even parity and then changes to 8 bits/no parity when running PPP.


#!/bin/sh
chat "" "AT&F1" OK "ATDT555-1212" CONNECT "\c"
stty evenp
chat ogin: pppuser ssword: "\q\U" % "exec pppd"
stty -evenp

How to Create an Executable Chat Program

  1. Use your text editor to create an executable chat program, such as the previous example.

  2. Make the chat program executable.


    # chmod +x /etc/ppp/chatprogram
    

  3. Invoke the chat program.


    connect /etc/ppp/chatprogram
    

    Chat programs do not have to be located within the /etc/ppp file system. You can store them in any location.

Authenticating Callers on a Link

This section explains how the PPP authentication protocols work and explains the databases that are associated with them.

Password Authentication Protocol (PAP)

PAP authentication is somewhat similar in operation to the UNIX login program, though it does not grant shell access to the user. PAP uses the PPP configuration files and PAP database in the form of the /etc/ppp/pap-secrets file for setting up authentication and defining PAP security credentials. These credentials include a peer name (a “user name” in PAP parlance), password, and related information for each caller who is permitted to link to the local machine. The PAP user names and passwords can be identical to or different from the UNIX user names and passwords in the password database.

/etc/ppp/pap-secrets File

The PAP database is implemented in the /etc/ppp/pap-secrets file. Machines on both sides of the PPP link must have properly configured PAP credentials in their /etc/ppp/pap-secrets files for successful authentication. The caller (authenticatee) supplies credentials in the user and password columns of the /etc/ppp/pap-secrets file or in the obsolete +ua file. The server (authenticator) validates these credentials against information in /etc/ppp/pap-secrets, through the UNIX passwd database, or the PAM facility.

The /etc/ppp/pap-secrets file has the following syntax.

Table 36–5 Syntax of /etc/ppp/pap-secrets

Caller 

Server 

Password 

IP Addresses 

myclient

ISP-server

mypassword

The parameters have the following meaning:

myclient

PAP user name of the caller. Often this name is identical to the caller's UNIX user name, particularly if the dial-in server uses the login option of PAP.

ISP-server

Name of the remote machine, often a dial-in server. 

mypassword

Caller's PAP password. 

IP address

IP address that is associated with the caller. Use an asterisk (*) to indicate any IP address. 

Creating PAP Passwords

PAP passwords are sent over the link in the clear (in readable ASCII format). For the caller (authenticatee), the PAP password must be stored in the clear in any of the following locations:

On the server (authenticator), the PAP password can be hidden by doing one of the following:

What Happens During PAP Authentication

PAP authentication occurs in the following sequence.

Figure 36–1 PAP Authentication Process

Graphic

  1. The caller (authenticatee) calls the remote peer (authenticator) and provides its PAP user name and password as part of link negotiation.

  2. The peer verifies the identity of the caller in its/etc/ppp/pap-secrets file. If the peer uses the login option of PAP, it verifies the caller's user name and password in its password database.

  3. If authentication is successful, the peer continues link negotiation with the caller. If authentication fails, the link is dropped.

  4. (Optional) If the caller authenticates responses from remote peers, the remote peer must send its own PAP credentials to the caller. Thus, the remote peer becomes the authenticatee and the caller the authenticator.

  5. The original caller reads its own /etc/ppp/pap-secrets to verify the identity of the remote peer.


    Note –

    If the original caller does require authentication credentials from the remote peer, Step 1 and Step 4 happen in parallel.


    If the peer is authenticated, negotiation continues. Otherwise, the link is dropped.

  6. Negotiation between caller and peer continues until the link is successfully established.

Using the login Option With /etc/ppp/pap-secrets

You can add the login option for authenticating PAP credentials to any PPP configuration file. When login is specified, for example, in /etc/ppp/options, pppd verifies that the caller's PAP credentials exist in the Solaris password database. The following table shows the format of a /etc/ppp/pap-secrets file with the login option.

Table 36–6 /etc/ppp/pap-secrets With login Option

Caller 

Server 

Password 

IP Addresses 

joe 

“ “ 

sally 

“ “ 

sue 

“ “ 

The parameters have the following meanings:

Caller

Names of all authorized callers. 

Server

Asterisk, which indicates that any server name is valid. The name option is not required in the PPP configuration files.

Password

Double quotes, which indicate that any password is valid. 

If you type a password in this column, then the password that is supplied by the peer must match both the PAP password and the UNIX passwd database.

IP Addresses

Asterisk, which indicates that any IP address is allowed. 

Challenge-Handshake Authentication Protocol (CHAP)

CHAP authentication uses the notion of the challenge and response, which means that the peer (authenticator) challenges the caller (authenticatee) to prove its identity. The challenge includes a random number and a unique ID that is generated by the authenticator. The caller must use the ID, random number, and its CHAP security credentials to generate the proper response (handshake) to send to the peer.

CHAP security credentials include a CHAP user name and a CHAP secret, an arbitrary string that is known to both caller and peer before they negotiate a PPP link. You configure CHAP security credentials in the CHAP database, /etc/ppp/chap-secrets.

/etc/ppp/chap-secrets File

The CHAP database is implemented in the /etc/ppp/chap-secrets file. Machines on both sides of the PPP link must have each others' CHAP credentials in their /etc/ppp/chap-secrets files for successful authentication.


Note –

Unlike PAP, the shared secret must be in the clear on both peers. You cannot use crypt, PAM, or the PPP login option with CHAP.


The /etc/ppp/chap-secrets file has the following syntax.

Table 36–7 Syntax of /etc/ppp/chap-secrets

Caller 

Server 

CHAP secret  

IP Addresses 

myclient

myserver

secret5748

The parameters have the following meanings:

myclient

CHAP user name of the caller. This name can be the same or different from the caller's UNIX user name. 

myserver

Name of the remote machine, often a dial-in server. 

secret5748

Caller's CHAP secret. 


Note –

Unlike PAP passwords, CHAP secrets are never sent over the link. Rather, they are used when the local machines compute the response.


IP address

IP address that is associated with the caller. Use an asterisk (*) to indicate any IP address. 

What Happens During CHAP Authentication

CHAP authentication occurs in the following sequence.

Figure 36–2 CHAP Authentication Sequence

Graphic

  1. Two peers that are about to initiate communications agree on a secret to be used for authentication during negotiation of a PPP link.

  2. The administrators of both machines add the secret, CHAP user names, and other CHAP credentials to the /etc/ppp/chap-secrets database of their respective machines.

  3. The caller (authenticatee) calls the remote peer (authenticator).

  4. The authenticator generates a random number and an ID, and sends them to the authenticatee as a challenge.

  5. The authenticatee looks up the peer's name and secret in its /etc/ppp/chap-secrets database.

  6. The authenticatee calculates a response by applying the MD5 computational algorithm to the secret and the peer's random number challenge. Then the authenticatee sends the results as its response to the authenticator.

  7. The authenticator looks up the authenticatee's name and secret in its /etc/ppp/chap-secrets database.

  8. The authenticator calculates its own figure by applying MD5 to the number that was generated as the challenge and the secret for the authenticatee in /etc/ppp/chap-secrets.

  9. The authenticator compares its results with the response from the caller. If the two numbers are the same, the peer has successfully authenticated the caller, and link negotiation continues. Otherwise the link is dropped.

Creating an IP Addressing Scheme for Callers

Consider creating one or more IP addresses for all incoming calls instead of assigning a unique IP address to each remote user. Dedicated IP addresses are particularly important if the number of potential callers exceeds the number of serial ports and modems on the dial-in server. You can implement a number of different scenarios, depending on your site's needs. Moreover, the scenarios are not mutually exclusive.

Assigning Dynamic IP Addresses to Callers

Dynamic addressing involves the assignment to each caller of the IP address that is defined in /etc/ppp/options.ttyname. Dynamic addressing occurs on a per-serial port basis. Each time a call arrives over a particular serial line, the caller is given the IP address that is defined in the /etc/ppp/options.ttyname file for the serial interface that is handling the call.

For example, suppose a dial-in server has four serial interfaces that provide dial-up service to incoming calls:

With this addressing scheme, an incoming call on serial interface /dev/term/c is given the IP address 10.1.1.3 for the duration of the call. After the first caller hangs up, a later call that comes in over serial interface /dev/term/c is also given the IP address 10.1.1.3.

The advantages of dynamic addressing include the following:

Assigning Static IP Addresses to Callers

If your site implements PPP authentication, you can assign specific, static IP addresses to individual callers. In this scenario, every time a dial-out machine calls the dial-in server, the caller receives the same IP address.

You implement static addresses in either the pap-secrets or chap-secrets database. Here is a sample /etc/ppp/pap-secrets file with static IP addresses defined.

Caller 

Server 

Password 

IP Addresses 

joe

myserver

joepasswd

10.10.111.240 

sally

myserver

sallypasswd

10.10.111.241 

sue

myserver

suepasswd

10.10.111.242 

Here is a sample /etc/ppp/chap-secrets file that defines static IP addresses.

Caller 

Server 

CHAP secret 

IP Addresses 

account1

myserver

secret5748

10.10.111.244 

account2

myserver

secret91011

10.10.111.245 

Assigning IP Addresses by sppp Unit Number

If you are using either PAP or CHAP authentication, you can assign IP addresses to callers by the sppp unit number. The next table shows an example of this usage.

Caller 

Server 

Password 

IP Addresses 

myclient

ISP-server

mypassword

10.10.111.240/28+ 

The plus (+) indicates that the unit number is added to the IP address. Addresses 10.10.111.240 through 10.10.111.255 are assigned to remote users. sppp0 gets IP address 10.10.111.240. sppp1 gets IP address 10.10.111.241, and so on.

Creating PPPoE Tunnels for DSL Support

By using PPPoE, you can provide PPP over high-speed digital services to multiple clients that are using one or more DSL modems. PPPoE implements these services by creating an Ethernet tunnel through three participants: the enterprise, the telephone company, and the service provider.

This section contains detailed information about PPPoE commands and files, which are summarized in the next table.

Table 36–8 PPPoE Commands and Configuration Files

File or Command  

Description 

For Instructions 

/etc/ppp/pppoe

File that contains characteristics that are applied by default to all tunnels that were set up by PPPoE on the system 

/etc/ppp/pppoe File

/etc/ppp/pppoe.device

File that contains characteristics of a particular interface that is used by PPPoE for a tunnel 

/etc/ppp/pppoe.device File

/etc/ppp/pppoe.if

File that lists the Ethernet interface over which the tunnel that is set up by PPPoE runs 

/etc/ppp/pppoe.if File

/usr/sbin/sppptun

Command for configuring the Ethernet interfaces that are involved in a PPPoE tunnel 

/usr/sbin/sppptun Command

/usr/lib/inet/pppoed

Command and options for using PPPoE to set up a tunnel 

/usr/lib/inet/pppoed Daemon

Files for Configuring Interfaces for PPPoE

The interfaces that are used at either end of the PPPoE tunnel must be configured before the tunnel can support PPP communications. Use /usr/sbin/sppptun and /etc/ppp/pppoe.if files for this purpose. You must use these tools to configure Ethernet interfaces on all Solaris PPPoE clients and access servers.

/etc/ppp/pppoe.if File

The /etc/ppp/pppoe.if file lists the names of all Ethernet interfaces on a host to be used for the PPPoE tunnels. This file is processed during system boot, when the interfaces that are listed are plumbed for use in PPPoE tunnels.

You need to explicitly create /etc/ppp/pppoe.if. Type the name of one interface to be configured for PPPoE on each line.

Sample /etc/ppp/pppoe.if File

The following example shows an /etc/ppp/pppoe.if file for a server that offers three interfaces for PPPoE tunnels.


# cat /etc/ppp/pppoe.if
hme1
hme2
hme3

PPPoE clients usually have only one interface that is listed in /etc/ppp/pppoe.if.

/usr/sbin/sppptun Command

You can use the /usr/sbin/sppptun command to manually plumb and unplumb the Ethernet interfaces to be used for PPPoE tunnels. By contrast, /etc/ppp/pppoe.if is only read when the system boots up. These interfaces should correspond to the interfaces that are listed in /etc/ppp/pppoe.if.

sppptun plumbs the Ethernet interfaces that are used in PPPoE tunnels in a manner similar to the ifconfig command. Unlike ifconfig, you must plumb interfaces twice to support PPPoE because two Ethernet protocol numbers are involved.

The basic syntax for sppptun is as follows:


# /usr/sbin/sppptun plumb pppoed device-name
     device-name:pppoed
# /usr/sbin/sppptun plumb pppoe device-name
     device-name:pppoe
In this syntax, device-name is the name of the device to be plumbed for PPPoE.

The first time you issue the sppptun command, the discovery protocol pppoed is plumbed on the interface. The second time you run sppptun, the session protocol pppoe is plumbed. sppptun prints the name of the interface that was just plumbed. You use this name to unplumb the interface, when necessary.

For more information, refer to thesppptun(1M) man page.

Sample sppptun Commands for Administering Interfaces

PPPoE Access Server Commands and Files

A service provider that offers DSL services or support to customers can use an access server that is running Solaris PPPoE. The PPPoE access server and client do function in the traditional client-server relationship. This relationship is similar to that of the dial-out machine and dial-in server on a dial-up link, in that one system initiates communications and one system answers. By contrast, the PPP protocol has no notion of the client-server relationship and considers both machines equal peers.

The commands and files that set up a PPPoE access server include the following:

/usr/lib/inet/pppoed Daemon

The pppoed daemon accepts broadcasts for services from prospective PPPoE clients. Additionally, pppoed negotiates the server side of the PPPoE tunnel and runs pppd, the PPP daemon, over that tunnel.

You configure pppoed services in the /etc/ppp/pppoe and /etc/ppp/pppoe.device files. If /etc/ppp/pppoe exists when the system boots, pppoed runs automatically. You can also explicitly run the pppoed daemon on the command line by typing /usr/lib/inet/pppoed.

/etc/ppp/pppoe File

The /etc/ppp/pppoe file describes the services that are offered by an access server plus options that define how PPP runs over the PPPoE tunnel. You can define services for individual interfaces, or globally, that is, for all interfaces on the access server. The access server sends the information in the /etc/ppp/pppoe file in response to a broadcast from a potential PPPoE client.

The following is the basic syntax of /etc/ppp/pppoe:


global-options
service service-name
    service-specific-options
    device interface-name
  
The parameters have the following meanings:

global-options

Sets the default options for the /etc/ppp/pppoe file. These options can be any options available through pppoed or pppd. For complete lists of options, see the man pages pppoed(1M) and pppd(1M).

For example, you must list the Ethernet interfaces available for the PPPoE tunnel as part of global options. If you do not define devices in /etc/ppp/pppoe, the services are not offered on any interface.

To define devices as a global option, use the following form:


device interface <,interface>
interface specifies the interface where the service listens for potential PPPoE clients. If more than one interface is associated with the service, separate each name with a comma.

service service-name

Starts the definition of the service service-name. service-name is a string that can be any phrase appropriate to the services that are provided.

service-specific-options

Lists the PPPoE and PPP options specific to this service. 

device interface-name

Specifies the interface where the previously listed service is available. 

For additional options to /etc/ppp/pppoe, refer to the pppoed(1M) and pppd(1M) man pages.

A typical /etc/ppp/pppoe file might resemble the following.


Example 36–4 Basic /etc/ppp/pppoe File


device hme1,hme2,hme3
service internet
   pppd "name internet-server"
service intranet
   pppd "192.168.1.1:"
service debug
   device hme1
   pppd "debug name internet-server"

In this file, the following apply:

hme1,hme2,hme3

Three interfaces on the access server to be used for PPPoE tunnels. 

service internet

Advertises a service that is called internet to prospective clients. The provider that offers the service also determines how internet is defined. For example, a provider might internet to mean various IP services, as well as access to the Internet.

pppd

Sets the command-line options that are used when the caller invokes pppd. The option "name internet-server" gives the name of the local machine (the access server) as internet-server.

service intranet

Advertises another service, called intranet, to prospective clients.

pppd "192.168.1.1:"

Sets the command-line options that are used when the caller invokes pppd. When the caller invokes pppd, 192.168.1.1 is set as the IP address for the local machine (the access server).

service debug

Advertises a third service, debugging, on the interfaces that are defined for PPPoE. 

device hme1

Restricts debugging to PPPoE tunnels to hme1.

pppd "debug name internet-server"

Sets the command-line options that are used when the caller invokes pppd, in this instance, PPP debugging on internet-server, the local machine.

/etc/ppp/pppoe.device File

The /etc/ppp/pppoe.device file describes the services that are offered on one interface of a PPPoE access server plus options that define how PPP runs over the PPPoE tunnel. /etc/ppp/pppoe.device is an optional file, which operates exactly like the global /etc/ppp/pppoe. However, if /etc/ppp/pppoe.device is defined for an interface, its parameters have precedence for that interface over the global parameters that are defined in /etc/ppp/pppoe.

The basic syntax of /etc/ppp/pppoe.device is as follows:


service service-name
     service-specific-options
service another-service-name
      service-specific-options    

The only difference between this syntax and that of /etc/ppp/pppoe is that you cannot use the device option that is shown in /etc/ppp/pppoe File.

pppoe.so Plugin

pppoe.so is the PPPoE shared object file that must be invoked by PPPoE access servers and clients. This file limits MTU and MRU to 1492, filters packets from the driver, and negotiates the PPPoE tunnel, along with pppoed. On the access server side, pppoe.so is automatically invoked by the pppd daemon.

Using PPPoE and PPP Files to Configure an Access Server

This section contains samples of all files that are used to configure an access server. The access server is multihomed and attached to three subnets: green, orange, and purple. pppoed runs as root on the server, which is the default.

PPPoE clients can access the orange and purple networks through interfaces hme0 and hme1. Clients log in to the server by using the standard UNIX login. The server authenticates them by using PAP.

The green network is not advertised to clients. The only way clients can access green is by directly specifying “green-net” and supplying CHAP authentication credentials. Moreover, only clients joe and mary are allowed to access the green network. They must use static IP addresses to do so.


Example 36–5 /etc/ppp/pppoe File for an Access Server


service orange-net
     device hme0,hme1
     pppd "require-pap login name orange-server orange-server:"
service purple-net
     device hme0,hme1 
     pppd "require-pap login name purple-server purple-server:"
service green-net
     device hme1 
     pppd "require-chap name green-server green-server:"
     nowildcard

This sample describes the services available from the access server. The first service section describes the services of the orange network.


service orange-net
     device hme0,hme1
     pppd "require-pap login name orange-server orange-server:"
Clients access the orange network over interfaces hme0 and hme1. The options that are given to the pppd command force the server to require PAP credentials from potential clients. The pppd options also set the server's name to orange-server, as used in the pap-secrets file.

The service section for the purple network is identical to that of the orange network except for the network and server names.

The next section describes the services of the green network:


service green-net
     device hme1 
     pppd "require-chap name green-server green-server:"
     nowildcard
This section restricts client access to interface hme1. Options that are given to the pppd command force the server to require CHAP credentials from prospective clients. The pppd options also set the server name to green-server, to be used in the chap-secrets file. The nowildcard option specifies that the existence of the green network is not advertised to clients.

For the access server scenario just discussed, you might set up the following /etc/ppp/options file.


Example 36–6 /etc/ppp/options File for an Access Server


 	auth
 	proxyarp
 	nodefaultroute
 	name no-service	# don't authenticate otherwise

The option name no-service overrides the server name that is normally searched for during PAP or CHAP authentication. The server's default name is the one that found in the /usr/bin/hostname file. The name option in the previous example changes the server's name to no-service, a name not likely to be found in a pap or chap-secrets file. This action prevents a random user from running pppd and overriding the auth and name options that are set in /etc/ppp/options. pppd then fails because it cannot find any secrets for the client with a server name of no-service.

The access server scenario uses the following /etc/hosts file.


Example 36–7 /etc/hosts File for an Access Server


     172.16.0.1	orange-server
     172.17.0.1	purple-server
     172.18.0.1	green-server
     172.18.0.2	joes-pc
     172.18.0.3	marys-pc

Here is the /etc/ppp/pap-secrets file that is used for PAP authentication for clients that attempt to access the orange and purple networks.


Example 36–8 /etc/ppp/pap-secrets File for an Access Server


* orange-server "" 172.16.0.2/16+
* purple-server "" 172.17.0.2/16+

Here is the /etc/ppp/chap-secrets file that is used for CHAP authentication. Note that only clients joe and mary are listed in the file.


Example 36–9 /etc/ppp/chap-secrets File for an Access Server


 joe green-server "joe's secret" joes-pc
mary green-server "mary's secret" marys-pc

PPPoE Client Commands and Files

To run PPP over a DSL modem, a machine must become a PPPoE client. You have to plumb an interface to run PPPoE, and then use the pppoec utility to “discover” the existence of an access server. Thereafter, the client can create the PPPoE tunnel over the DSL modem and run PPP.

The PPPoE client relates to the access server in the traditional client-server model. The PPPoE tunnel is not a dial-up link, but it is configured and operated in much the same manner.

The commands and files that set up a PPPoE client include the following:

/usr/lib/inet/pppoec Utility

The /usr/lib/inet/pppoec utility is responsible for negotiating the client side of a PPPoE tunnel. pppoec is similar to the Solaris PPP 4.0 chat utility, in that you do not invoke it directly. Rather, you start /usr/lib/inet/pppoec as an argument to the connect option of pppd.

pppoe.so Plugin

pppoe.so is the PPPoE shared object that must be loaded by PPPoE to provide PPPoE capability to access servers and clients. This shared object limits MTU and MRU to 1492, filters packets from the driver, and handles runtime PPPoE messages.

On the client side, pppd loads pppoe.so when the user specifies the plugin pppoe.so option.

/etc/ppp/peers/peer-name File for Defining an Access Server Peer

When you define an access server to be discovered by pppoec, you use options that apply to both pppoec and the pppd daemon. A /etc/ppp/peers/peer-name file for an access server requires the following parameters:

The remaining parameters in the /etc/ppp/peers/peer-name file should apply to the PPP link on the server. Use the same options that you would for /etc/ppp/peers/peer-name on a dial-out machine. Try to limit the number of options to the minimum you need for the PPP link.

The following example is introduced in How to Define a PPPoE Access Server Peer.


Example 36–10 /etc/ppp/peers/peer-name to Define a Remote Access Server


# vi /etc/ppp/peers/dslserve
sppptun
plugin pppoe.so
connect "/usr/lib/inet/pppoec hme0"
noccp
noauth
user Red
password redsecret
noipdefault
defaultroute

This file defines parameters to be used when setting up a PPPoE tunnel and PPP link to access server dslserve. The options included are as follows:

Option 

Description 

sppptun

Defines sppptun as the name of the serial device.

plugin pppoe.so

Instructs pppd to load the pppoe.so shared object.

connect "/usr/lib/inet/pppoec hme0"

Runs pppoec and designates hme0 as the interface for the PPPoE tunnel and PPP link.

noccp

Turns off CCP compression on the link.


Note –

If they use any compression algorithms at all, many ISPs use only proprietary compression algorithms. Turning off the publicly available CCP algorithm saves negotiation time and avoids very occasional interoperability problems.


noauth

Stops pppd from demanding authentication credentials from the access server. Most ISPs do not provide authentication credentials to customers.

user Red

Sets the name Red as the user name for the client, required for PAP authentication by the access server.

password redsecret

Defines redsecret as the password to be provided to the access server for PAP authentication.

noipdefault

Assigns 0.0.0.0 as the initial IP address. 

defaultroute

Tells pppd to install a default IPv4 route after IPCP negotiation. You should include defaultroute in /etc/ppp/peers/peer-name when the link is the system's link to the Internet, which is true for a PPPoE client.