User`s guide

ManualsBrandsCabletron Systems ManualsComputer equipmentCyberSWITCH CSX150

USER’S GUIDE

66 SFVRA Connection Manager

remote user sends this output of the hash function, along with its symbolic name, to the system in

a CHAP response.

Within the User Records entry for each remote device that will be authenticated via CHAP, the

system maintains the remote device’s secret. The name in the remote device’s CHAP response is

used to locate the User Table entry, and consequently the secret used by the remote device. Using

the same hash function, the system computes the expected response value for the challenge with

that secret. If this matches the response value sent by the remote device, a successful authentication

has occurred. The system can optionally be configured to repeat the CHAP challenge process

periodically throughout the life of the connection. An invalid response to a CHAP challenge at any

time is deemed a security violation, which causes a switched link to be released.

The above process applies to the system’s authentication of the remote device. It is also possible that

the remote device may wish to authenticate the system itself, a desire that is also negotiated during

the LCP initialization of the link. Enabling CHAP via configuration also permits the system to agree

to be authenticated via CHAP during LCP negotiation. In the same manner that each remote user

has a name and secret, the system itself is configured with a system-wide name and secret that are

used to respond to CHAP challenges.

Note: When both CHAP and PAP are available for a user, configure the user for CHAP

authentication.

NT A

UTHENTICATION

The SFVRA Connection Manager provides the ability to authenticate remote users on the local

Windows NT server. The remote user must have an account established on the NT server in order

to be authenticated. The process of authentication does not establish a connection between the

remote user and the server. SFVRA-CONN merely uses the Windows NT security feature to verify

the remote user password.

Note: PAP Password Security must be enabled on both the CyberSWITCH and the remote user.

SER PASSWORD

This password is used by PPP line protocol, for PAP authentication, or by the CPP line protocol as

the bridge password. When used with PAP authentication, this is an unencrypted password value

(a string of 1 to 12 ASCII characters) used as a security check when PAP Password Security is

enabled. (PAP is an authentication protocol defined in RFC 1334 as part of the PPP protocol suite.)

When used as a bridge password, the password is a secondary security check. This password is

required when used for PAP authentication, but is optional for CPP authentication. At connection

establishment time, the calling party sends an unencrypted User identifier and password

combination over the WAN to the system. The system looks up the User Name based on the

received User identifier and validates the password for that User. If the password received matches

the password configured for the identified User, the call is accepted. Otherwise, the call is

disconnected.

CHAP S

ECRET

This field is used by PPP line protocol, for CHAP authentication. This is a string of 1 to 17 ASCII

characters that is used as a security check when CHAP Challenge Security is enabled. (CHAP is an

authentication protocol defined in RFC 1334 as part of the PPP protocol suite.) CHAP is

characterized by a highly secure challenge and response mechanism which is performed at

connection setup and which can optionally be repeated throughout the existence of the connection.

A shared CHAP Secret is configured for the devices at both ends of the connection. As opposed to

a password, a CHAP Secret is not sent across the link, and therefore is not susceptible to