Configure PPP Challenge Handshake Authentication Protocol

You can configure interfaces to support PPP Challenge Handshake Authentication Protocol (CHAP), as defined in RFC 1994. When CHAP is enabled, an interface with PPP encapsulation can authenticate its peer and can be authenticated by its peer.

By default, PPP CHAP is disabled. If CHAP is not explicitly enabled, the interface makes no CHAP challenges and denies all incoming CHAP challenges. To enable CHAP on links with PPP encapsulation, you must create a global mapping of link names and authentication data associated with those links, and you must create a per-interface configuration.

To create a global mapping of link names and authentication data, you configure access profiles using statements in the access hierarchy; for more information about configuring access profiles, see the JUNOS Internet Software Configuration Guide: Getting Started. The per-interface configuration includes a reference to an access profile. When a specified interface receives CHAP challenges and responses, the named access profile in the packet is used to look up the shared secret, as defined in RFC 1994.

To configure PPP CHAP on an interface with PPP encapsulation, include the chap statement at the [edit interfaces interface-name ppp-options] hierarchy level:

[edit interfaces interface-name ppp-options]

chap {

    access-profile name;

    local-name name;

    passive;

}

On each interface with PPP encapsulation, you can configure the following PPP CHAP properties:

• Assign an Access Profile to an Interface
• Configure the Local Name
• Configure Passive Mode