Become superuser on the server.
Add the require_authentication keyword for each machine on the link to use either CHAP or PAP security.
For each pap keyword add an associated pap_peer_id and pap_peer_password string.
For each chap keyword add an associated chap_peer_secret and chap_peer_name string.
You can state the keywords explicitly, or if you prefer, you can use the default for the path. Refer to Table 24-1 to see what each keyword specifies. Examples can be found in Example 23-1.
On each remote host on the link to use either PAP or CHAP security, add an entry in the remote host's /etc/asppp.cf file with the will_do_authentication keyword.
The example below shows the asppp.cf file for the server mojave with PAP and CHAP authentication required. The peers are nomada (PAP) and nomadb (CHAP).
ifconfig ipdptp0 plumb mojave nomada up ifconfig ipdptp1 plumb mojave nomanb up path peer_system_name tamerlane require_authentication pap #tells nomada that mojave #requires pap authentication pap_peer_id desert pap_peer_password oasis path peer_system_name lawrence require_authentication chap #tells nomadb that mojave #requires chap authentication chap_peer_name another\sdesert chap_peer_secret secret\soasis\swith\007bell |
The next sample shows mojave's remote host nomada offering to do both PAP and CHAP authentication.
ifconfig ipdptp0 plumb tamerlane mojave up path interface ipdptp0 peer_system_name mojave will_do_authentication chap pap #nomada tells mojave #that it will do chap and #pap authentication pap_id desert pap_password oasis chap_name desert\srain chap_secret %$#@7&*(+|`P'12 |
The next example shows mojave's remote host nomadb offering to do CHAP authentication.
ifconfig ipdptp0 plumb nomadb mojave private up path interface ipdptp0 peer_system_name mojave will_do_authentication chap #nomadb tells mojave that it #will do chap authentication chap_name another\sdesert chap_secret secret\soasis\swith\007bell |
Ideally, both CHAP and PAP are included in the configuration file, with the server requiring authentication and the remote host willing to do authentication. However this is reversible so that either side can require authentication. CHAP secrets need to be delivered by secure means. This generally involves manually releasing them.