test

Solstice PPP 3.0.1 Administration Guide

Peer Authentication using PAP and CHAP

Solstice PPP implements peer authentication based on the Password Authentication Protocol (PAP) and the Challenge-Handshake Authentication Protocol (CHAP) defined by RFC 1334. Peer authentication is optional, and is negotiated during the link establishment phase.

See "Editing the PPP Path Configuration File (ppp.conf)" for instructions on how to enable and use peer authentication.

Password Authentication Protocol (PAP)

The Password Authentication Protocol (PAP) provides simple password authentication on initial link establishment. It is not a strong authentication method, since passwords are transmitted in clear over the link and there is no protection from repeated attacks during the life of the link.

When PAP authentication is requested by one end of the link during the link establishment phase, the other end must respond with a valid and recognized identifier and password pair. If it fails to respond, or if either the identifier or password are rejected, authentication fails and the link is closed.

PAP authentication may be requested by one end of the link only, or by both ends of the link simultaneously. If both ends request PAP authentication, they exchange identifiers and passwords. Authentication must be successful at both ends, or the link is closed.

Challenge-Handshake Authentication Protocol (CHAP)

The Challenge-Handshake Authentication Protocol (CHAP) provides password authentication on initial link establishment, based on a three-way handshake mechanism. It depends on a CHAP secret, known only to the authenticator and its peer, which is not transmitted over the link.

When CHAP authentication is requested by one end of the link, it generates a challenge message that includes a challenge value, which is calculated from the CHAP secret. The other end must respond to the challenge message with a response value, which is calculated from the challenge value received, and the common secret. If it fails to respond, or if the response does not correspond to that expected by the authenticator, the link is closed.

CHAP is a stronger authentication method than PAP, because the secret is not transmitted over the link, and because it provides protection against repeated attacks during the life of the link. As a result, if both PAP and CHAP authentication are enabled, CHAP authentication is always performed first.

CHAP authentication may be requested by one end of the link only, or by both ends of the link simultaneously. If both ends request CHAP authentication, they exchange challenge and response messages. Authentication must be successful at both ends, or the link is closed.