On the server, become superuser and prepare to edit the /etc/asppp.cf file.
Add the require_authentication keyword for each machine on the link to use either CHAP or PAP security.
For each pap keyword add an associated pap_peer_id and pap_peer_password string.
For each chap keyword add an associated chap_peer_secret and chap_peer_name string.
You can state the keywords explicitly, or if you prefer, you can use the default for the path. Refer to Table 11-3 to see what each keyword specifies. Examples can be found in Example 11-4.
On each remote host on the link to use either PAP or CHAP security, add an entry in the remote host's /etc/asppp.cf file with the will_do_authentication keyword.
You can state the keywords explicitly, or if you prefer, you can use the default for the path. Refer to Table 11-3 to see what each keyword specifies. Examples can be found starting with Example 11-4.
Either server or client can require authentication or offer to do authentication.
If PAP and CHAP are both present, the authenticator first tries CHAP. If that fails, the link is terminated. The authenticator will not try PAP.
The default value for PAP and CHAP authentication keywords is off. The syntax for keywords is:
require_authentication off | pap[chap] | chap[pap] will_do_authentication off | pap[chap] | chap[pap] |
If you fail to specify pap_id and pap_password or pap_peer_id and pap_peer_password keywords and values for the associated path, the corresponding values are set to the NULL string.
You must specify chap_name,chap_secret, chap_peer_secret and chap_peer_name keywords and values for that path.
Example 11-4 shows the asppp.cf file for the server mojave with PAP and CHAP authentication required. The peers are nomada (PAP) and nomadb (CHAP).
ifconfig ipdptp0 plumb mojave nomada up ifconfig ipdptp1 plumb mojave nomanb up path peer_system_name tamerlane require_authentication pap #tells nomada that mojave #requires pap authentication pap_peer_id desert pap_peer_password oasis path peer_system_name lawrence require_authentication chap #tells nomadb that mojave #requires chap authentication chap_peer_name another\sdesert chap_peer_secret secret\soasis\swith\007bell |
Example 11-5 sample shows mojave's remote host nomada offering to do both PAP and CHAP authentication.
ifconfig ipdptp0 plumb tamerlane mojave up path interface ipdptp0 peer_system_name mojave will_do_authentication chap pap #nomada tells mojave #that it will do chap and #pap authentication pap_id desert pap_password oasis chap_name desert\srain chap_secret %$#@7&*(+|`P'12 |
Example 11-6 shows mojave's remote host nomadb offering to do CHAP authentication.
ifconfig ipdptp0 plumb nomadb mojave private up path interface ipdptp0 peer_system_name mojave will_do_authentication chap #nomadb tells mojave that it #will do chap authentication chap_name another\sdesert chap_secret secret\soasis\swith\007bell |
Ideally, both CHAP and PAP are included in the configuration file, with the server requiring authentication and the remote host willing to do authentication. However this is reversible so that either side can require authentication. CHAP secrets need to be delivered by secure means. This generally involves handing them over in person.