System Administration Guide, Volume 3

Rules for PAP/CHAP Keywords

Either server or client can require authentication or offer to do authentication.
If PAP and CHAP are both present, the authenticator first tries CHAP. If that fails, the link is terminated. The authenticator will not try PAP.

The default value for PAP and CHAP authentication keywords is off. The syntax for keywords is:

require_authentication     off | pap[chap] | chap[pap]

will_do_authentication     off | pap[chap] | chap[pap]

If you fail to specify pap_id and pap_password or pap_peer_id and pap_peer_password keywords and values for the associated path, the corresponding values are set to the NULL string.
You must specify chap_name, chap_secret, chap_peer_secret, and chap_peer_name keywords and values for that path.
peername - The name of the system at the other end of the point-to-point link from the authenticator. It takes the form of a string with the syntax specified below.
string - A single token without embedded white space. The standard ANSI C \ escape sequence can be used to embed special characters. Use \s for the space character. Any pound sign at the beginning of the string must be escaped (\#) to avoid interpretation as a comment. A NULL (\0) truncates the string.

Table 24-1 PAP/CHAP Keyword Definitions


Keywords	Value Definition
`require_authentication` `keywords`	Specifies whether the peer must authenticate itself. If either `pap` or `chap` is present, the peer must participate in authentication or end the connection. The default value is off.
`pap_peer_id` `peername`	Specifies the name of the peer to be authenticated for the current path. `peername` string is one or more octets. To indicate a zero-length string, do not include the keyword.
`pap_peer_password` `string`	Specifies password for peer in one or more octets. To indicate a zero-length string, do not include the keyword.
`chap_peer_secret` `string`	Specifies the secret used with the challenge value to generate the response sent by the peer. The format is one or more octets, preferably at least 16.
`chap_peer_name` `peername`	Specifies the identity of the peer transmitting the packet. The name should not be NULL or terminated with CR/LF. The name is received from the peer in a response packet and consists of one or more octets.
`will_do_authentication` `keywords`	Specifies whether the system is willing to participate as the authenticated peer in the specified authentication process. If both `pap` and `chap` are present, the system is willing to participate in either authentication protocol. The default value is off.
`pap_id` `peername`	Specifies the name of the system to be sent to the authenticator in the response packet. To indicate a zero-length string, do not include the keyword.
`pap_password` `string`	Specifies the password for the system to be sent to the authenticator in the response packet. To indicate a zero-length string, do not include the keyword.
`chap_secret` `string`	Contains the secret that is used with the received challenge value to generate the response sent to the authenticator. The format is one or more octets, preferably at least 16.
`chap_name` `peername`	Specifies the identity of the system. The name should not end with a NULL or CR/LF. The name is sent to the authenticator in a response packet.