Manualshelf

Specifications

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface
21222324252627282930
Chapter 1. Router Concepts 23
Authentication Process
The authentication process occurs regardless of whether a remote router connects to the local router or vice versa,
and even if the remote end does not request authentication. It is a bi-directional process, where each end can
authenticate the other using the protocol of its choice (provided the other end supports it).
During link negotiation (LCP), each side of the link negotiates which protocol to use for authentication during the
connection. If both the system and the remote router have PAP authentication, then they negotiate PAP
authentication.
Otherwise, the router always requests CHAP authentication first; if CHAP is refused, PAP will be negotiated. If
the remote end does not accept either PAP or CHAP, the link is dropped; i.e., the router will not communicate
without a minimum security level. On the other hand, the router will accept any authentication scheme required by
the remote node, including no authentication at all.
During the authentication phase, each side of the link can request authentication using the method they negotiated
during LCP.
For CHAP, the router issues a CHAP challenge request to the remote side. The challenge includes the system
name and random number. The remote end, using a hash algorithm associated with CHAP, transforms the name
and number into a response value. When the remote end returns the challenge response, the router can validate the
response challenge value using the entry in the remote router database. If the response is invalid, the call is
disconnected. If the other end negotiated CHAP, the remote end can, similarly, request authentication from the
local router. The router uses its system name and password to respond to CHAP challenge.
For PAP, when a PAP login request is received from the remote end, the router checks the remote router PAP
security using the remote router database. If the remote router is not in the remote router database or the remote
router password is invalid, the call is disconnected. If the remote router and password are valid, the local router
acknowledges the PAP login request.
If PAP was negotiated by the remote end for the remote-side authentication, the router will issue PAP login
requests only if it knows the identity of the remote end. The identity is known if the call was initiated from the
router, or if the remote end returned a successful CHAP challenge response. For security reasons, the router will
never identify itself using PAP without first knowing the identity of the remote router.
If PAP was negotiated by the remote end for the local side of the authentication process and the minimum security
level is CHAP, as configured in the remote router database, the link will be dropped for a security violation.
Security Passwords and Levels
When configuring the router, you may set the following passwords:
¥ System authentication password Ñ the default system password used to access any remote router. Remote
sites use this password to authenticate the local site.
¥ System override password Ñ optional password used only to connect to a specific remote router for
authentication by that remote site.
¥ Remote authentication password Ñ password used by the router to authenticate the remote site. Each remote
router entered in the remote router database has a password used when the remote site attempts to gain access
to the local router.
To specify a unique system override password for a remote router, use the command remote SetOurPasswd
(page 282). This password is used instead of the general system password only for connecting to a specific remote