Product specifications
Efficient Networks
®
Router family
Technical Reference Guide
Chapter 5: System Security
Efficient Networks
®
Page 5-21
During link negotiation (LCP), each side of the link negotiates which protocol to use
for authentication during the connection.
NOTE:
If desired, you can override the negotiation of an authentication protocol and force the
local router to use the designated protocol. To designate PAP or CHAP, use the
system authen command.
If both routers have PAP authentication, then they negotiate PAP authentication.
Otherwise, the local router always requests CHAP authentication first; if CHAP is
refused, PAP is requested. If the remote does not accept either PAP or CHAP, the link
is dropped; i.e., the router does not communicate without a minimum security level.
On the other hand, the local router does accept any authentication scheme required
by the remote, including no authentication at all.
CHAP Authentication
For CHAP, the router issues a CHAP challenge request to the remote side. The
challenge includes the system name and random number. The remote end, using a
hash algorithm, transforms the name and number into a response value. When the
remote end returns the challenge response, the router can validate the response
challenge value using the entry in the remote router database. If the response is
invalid, the call is disconnected.
If the other end negotiated CHAP, the remote end can, similarly, request
authentication from the local router. The router uses its system name and password to
respond to the CHAP challenge.
Figure 5-2: CHAP Authentication
Chicago
System Name=Chicago
System Password=abc
Remote Router Database
Remote=New York
Password=xyz
2
.
....Accepted/Rejected.......
1
New York & encrypted number
New York
System Name=New York
System Password=xyz
Remote Router Database
Remote=Chicago
Password=abc
Challenge
3
Chicago & encrypted secret
Hashes random
number and
secret “abc”
Performs same hash
with number and secret
“abc” and compares
results