Examples of PPP Authentication
contains examples of authentication scenarios to be used in the procedures
in Chapter 5, Setting Up Point-to-Point Protocol Authentication.
Example of a Configuration
Using PAP Authentication
The tasks in Configuring
PAP Authentication show how to set up PAP authentication over
the PPP link. The procedures use as an example a PAP scenario that
was created for the fictitious “Big Company” in Example of a Configuration for
Big Company wants to enable its users to work from home. The
system administrators want a secure solution for the serial lines
to the dial-in server. UNIX-style login that uses the NIS password
databases has served Big Company's network well in the past. The system
administrators want a UNIX-like authentication scheme for calls that
come in to the network over the PPP link. So, the administrators implement
the following scenario that uses PAP authentication.
Figure 2-3 Example of a PAP Authentication
Scenario (Working From Home)
The system administrators create a dedicated dial-in DMZ that
is separated from the rest of the corporate network by a router. The
term DMZ comes from the military term “demilitarized zone.”
The DMZ is an isolated network that is set up for security purposes.
The DMZ typically contains resources that a company offers to the
public, such as web servers, anonymous FTP servers, databases, and
modem servers. Network designers often place the DMZ between a firewall
and a company's Internet connection.
The only occupants of the DMZ that is pictured in Figure 2–3 are
the dial-in server myserver and the router. The
dial-in server requires callers to provide PAP credentials, including
user names and passwords, when setting up the link. Furthermore, the
dial-in server uses the login option of PAP. Therefore,
the callers' PAP user names and passwords must correspond exactly
to their UNIX user names and passwords in the dial-in server's password
After the PPP link is established, the caller's packets are
forwarded to the router. The router forwards the transmission to its
destination on the corporate network or on the Internet.
Example of a Configuration
Using CHAP Authentication
in Configuring CHAP Authentication show how to set up CHAP authentication. The procedures use
as an example a CHAP scenario to be created for the fictitious LocalCorp
that was introduced in Example
of a Configuration for a Leased-Line Link.
LocalCorp provides connectivity to the Internet over a leased
line to an ISP. The Technical Support department within LocalCorp
generates heavy network traffic. Therefore, Technical Support requires
its own, isolated private network. The department's field technicians
travel extensively and need to access the Technical Support network
from remote locations for problem-solving information. To protect
sensitive information in the private network's database, remote callers
must be authenticated in order to be granted permission to log in.
Therefore, the system administrators implement
the following CHAP authentication scenario for a dial-up PPP configuration.
Figure 2-4 Example of a CHAP
Authentication Scenario (Calling a Private Network)
The only link from the Technical Support network to the outside
world is the serial line to the dial-in server's end of the link.
The system administrators configure the laptop computer of each field
service representative for PPP with CHAP security, including a CHAP
secret. The chap-secrets database on the dial-in server contains the
CHAP credentials for all machines that are allowed to call in to the
Technical Support network.