Product specifications

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface

151

152

153

154

155

156

157

158

159

160

Chapter 5: System Security Efficient Networks

Router family

Technical Reference Guide

Page 5-20 Efficient Networks

PAP/CHAP Security Authentication

The router supports PAP (Password Authentication Protocol) and CHAP (Challenge

Handshake Authentication Protocol) under PPP.

Security authentication may not be required due to the nature of the connection in a

DSL environment (traffic occurs on a dedicated line/virtual circuit. However,

authentication may be specifically required by the remote end, the ISP, or the NSP.

When authentication is not required, security can be disabled with the remote

disauthen command.

PAP provides verification of passwords between routers using a two-way handshake.

One router (peer) sends the system name and password to the other router. Then the

other router (known as the authenticator) checks the peer’s password against the

configured remote router’s password and returns acknowledgment

CHAP is more secure than PAP because unencrypted passwords are not sent across

the network. CHAP uses a three-way handshake. One router (known as the

authenticator) challenges the other router (known as the peer) by generating a

random number and sending it along with the system name. The peer then applies a

one-way hash algorithm to the random number and returns this encrypted information

along with the system name.

The authenticator then runs the same algorithm and compares the result with the

expected value. This authentication method depends upon a password or secret

known only to both ends.

Authentication Process

The authentication process occurs regardless of whether a remote router connects to

the local router or vice versa, and even if the remote end does not request

authentication. It is a bi-directional process, where each end can authenticate the

other using the protocol of its choice (provided the other end supports it).

Figure 5-1: PAP Authentication

Chicago

System Name=Chicago

System Password=abc

Remote Router Database

Remote=New York

Password=xyz

....Accepted/Rejected.......

..New York & xyz.......

New York

System Name=New York

System Password=xyz

Remote Router Database

Remote=Chicago

Password=abc