How to Install PAP/CHAP (System Administration Guide, Volume 3)

System Administration Guide, Volume 3

How to Install PAP/CHAP

Become superuser on the server.

Edit the /etc/asppp.cf file.

Add the require_authentication keyword for each machine on the link to use either CHAP or PAP security.
1. For each pap keyword add an associated pap_peer_id and pap_peer_password string.
2. For each chap keyword add an associated chap_peer_secret and chap_peer_name string.
  
  You can state the keywords explicitly, or if you prefer, you can use the default for the path. Refer to Table 24-1 to see what each keyword specifies. Examples can be found in Example 23-1.

On each remote host on the link to use either PAP or CHAP security, add an entry in the remote host's /etc/asppp.cf file with the will_do_authentication keyword.
1. For each pap keyword entry add an associated pap_id and pap_password string.
2. For each chap keyword entry add an associated chap_secret and chap_name string.

PAP/CHAP Examples

The example below shows the asppp.cf file for the server mojave with PAP and CHAP authentication required. The peers are nomada (PAP) and nomadb (CHAP).

Example 23-1 Code Example for Server `mojave`

ifconfig ipdptp0 plumb mojave nomada up
ifconfig ipdptp1 plumb mojave nomanb up
path
      peer_system_name tamerlane
      require_authentication pap  #tells nomada that mojave
                                  #requires pap authentication
      pap_peer_id desert
      pap_peer_password oasis
path
      peer_system_name lawrence
      require_authentication chap  #tells nomadb that mojave
                                   #requires chap authentication
      chap_peer_name another\sdesert
      chap_peer_secret secret\soasis\swith\007bell

The next sample shows mojave's remote host nomada offering to do both PAP and CHAP authentication.

Example 23-2 Code Example for Remote Host `nomada`

ifconfig ipdptp0 plumb tamerlane mojave up
path
      interface ipdptp0
      peer_system_name mojave
      will_do_authentication chap pap #nomada tells mojave
                                      #that it will do chap and
                                      #pap authentication
      pap_id desert
      pap_password oasis
      chap_name desert\srain
      chap_secret %$#@7&*(+|`P'12

The next example shows mojave's remote host nomadb offering to do CHAP authentication.

Example 23-3 Code Example for Remote Host `nomadb`

ifconfig ipdptp0 plumb nomadb mojave private up
path
     interface ipdptp0
     peer_system_name mojave
     will_do_authentication chap   #nomadb tells mojave that it
                                   #will do chap authentication
     chap_name another\sdesert
     chap_secret secret\soasis\swith\007bell

Ideally, both CHAP and PAP are included in the configuration file, with the server requiring authentication and the remote host willing to do authentication. However this is reversible so that either side can require authentication. CHAP secrets need to be delivered by secure means. This generally involves manually releasing them.