5
5. If the interface is configured with an IP address, the IPCP negotiation is performed. IPCP
configuration options include IP addresses of the two ends, IP compression protocol, and DNS
server IP address. After the IPCP negotiation succeeds, the link can carry IP packets.
6. After the NCP negotiation is performed, the PPP link remains active until explicit LCP or NCP
frames close the link, or until some external events take place (for example, the intervention of
a user).
For more information about PPP, see RFC 1661.
PPP authentication
PPP provides authentication methods, which makes it viable to implement AAA on PPP links.
Combining PPP with AAA can perform authentication and accounting for supplicants and assign IP
addresses to the supplicants based on the authentication.
PPP supports the following authentication methods:
• PAP—PAP is a two-way handshake authentication protocol using the username and password.
PAP sends passwords in plain text over the network. If authentication packets are intercepted in
transit, network security might be threatened. For this reason, it is suitable only for low-security
environments.
• CHAP—CHAP is a three-way handshake authentication protocol using ciphertext passwords.
Two types of CHAP authentication exist: one-way CHAP authentication and two-way CHAP
authentication. In one-way CHAP authentication, the authenticator can be optionally configured
with a username. Hewlett Packard Enterprise recommends that you configure a username for
the authenticator, which makes it easier for the supplicant to verify the identity of the
authenticator.
CHAP transmits usernames but not passwords over the network; or rather, it does not directly
transmit passwords and transmits the result calculated from the password and random packet
ID by using the MD5 algorithm. Therefore, it is more secure than PAP.
• MS-CHAP—MS-CHAP is a three-way handshake authentication.
MS-CHAP differs from CHAP as follows:
{ MS-CHAP is enabled by negotiating CHAP Algorithm 0x80 in LCP option 3, Authentication
Protocol.
{ MS-CHAP provides authentication retry. With this mechanism, if the supplicant fails
authentication, it is allowed to retransmit authentication information to the authenticator for
reauthentication. The authenticator allows a supplicant to retransmit three times.
• MS-CHAP-V2—MS-CHAP-V2 is a three-way handshake authentication protocol.
MS-CHAP differs from CHAP as follows:
{ MS-CHAP-V2 is enabled by negotiating CHAP Algorithm 0x81 in LCP option 3,
Authentication Protocol.
{ MS-CHAP-V2 provides two-way authentication by piggybacking a supplicant challenge on
the Response packet and an authenticator response on the Acknowledge packet.
{ MS-CHAP-V2 supports authentication retry. With this mechanism, if the supplicant fails
authentication, it is allowed to retransmit authentication information to the authenticator for
reauthentication. The authenticator allows a supplicant to retransmit three times.
{ MS-CHAP-V2 supports password changing. If the supplicant fails authentication because of
an expired password, it will send the new password entered by the user to the authenticator
for reauthentication.
To Next Page
Loading...
Need help?
General
