| |
Using public-switched data or telephone networks provides a high level of communication flexibility that is not possible with dedicated circuit data networks. You can quickly reconfigure WAN connections to support changes in network topology requirements without incurring the delays often experienced when working with external service providers.
However, along with this flexibility there is the potential for unauthorized access. Dedicated circuits implicitly ensure the identity of the connection peers because of the fixed circuit between local and remote systems. However, switched circuits introduce the possibility of call attempts by unauthorized remote systems. Anyone with a modem, phone number, and knowledge of the PPP data-link protocol can potentially establish a rogue connection to a router, and thereby gain access to the attached networks.
To provide protection against unauthorized router access over public-switched data or telephone networks, PPP uses the optional authentication protocols described in the next section.
The PPP protocol specification defines two authentication protocols to protect against unauthorized access: Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). During the link establishment phase, a PPP node can request that its data-link peer provide authentication information using one of these authentication protocols. If the remote peer does not agree to provide the requested authentication information, the PPP link is not established. If the peer does agree, the link establishment phase is completed and the authentication phase is entered.
Using the previously negotiated authentication protocol, information is exchanged between the two peers, allowing the local system to authenticate the remote peer. Successful authentication allows the peers to proceed to the NCP negotiation phase. Authentication failure results in termination of the link and the physical circuit.
PAP was the initial mechanism specified by PPP for peer identification. It defines exchange of peer ID/password pairs that are validated by the node requesting authentication of the remote peer. Upon receipt by the requesting node, the ID/password pair is compared against a local list of authorized ID/password pairs. A match results in successful authentication and allows the node to proceed with NCP negotiation. A nonmatch results in termination of the link and the physical circuit.
CHAP was developed to overcome a deficiency in PAP: that is, the password is sent over the link in clear text. CHAP addresses this problem by maintaining a common secret at both peer systems. One system issues a challenge sequence that must be modified using the secret and returned to the challenging peer. The challenging system must validate the response sequence by applying its secret to the original challenge and comparing the result to the response sequence. Authentication successes and failures are processed similar to PAP.
With NetWare Link/PPP, you can configure either PAP or CHAP as the inbound call authentication protocol type for each interface. The system maintains one or more user-configured authentication databases. The database contains entries for each authorized peer represented as ID/password pairs for PAP and ID/secret pairs for CHAP. In both cases, the ID portion, which is exchanged by the over-the-wire protocol, specifies the remote system ID. The remote system ID is used as a database key to access the associated password or secret.
By default, one inbound authentication database is maintained for all NetWare Link/PPP ports; however, you have the ability to specify alternative authentication databases on a per-port basis. This permits any number of ports to share a single database.
The NetWare Link/PPP port configuration allows the configuration of the authentication protocol type (None , PAP , CHAP , Either PAP or CHAP ), the name of the authentication database (the default is PPP-AUTH), and the contents of the specified database.
With NetWare Link/PPP, you can also configure PAP or CHAP as the outbound call authentication protocol type for each interface. Support for PAP and CHAP is provided by the Call Support Layer (CSL) WAN call destination entries, which allow specification of authentication information for outbound calls. This information includes the authentication type (None , PAP , CHAP , Either PAP or CHAP ) and password or encrypted password, as appropriate.
For on-demand connections, you must configure outbound calls to specify an authentication protocol type, an ID, and a password. To accept inbound on-demand connections, you must configure the PPP interface to validate the authentication information supplied by the calling system. Using PAP or CHAP authentication is recommended for all permanent switched-circuit connections and is required for on-demand connections.
| |