Configure PPP Challenge Handshake Authentication Protocol

For interfaces with PPP encapsulation, you can configure interfaces to support PPP Challenge Handshake Authentication Protocol (CHAP), as defined in RFC 1994. When you enable CHAP on an interface, the interface can authenticate its peer and can be authenticated by its peer.

By default, PPP CHAP is disabled. If CHAP is not explicitly enabled, the interface makes no CHAP challenges and denies all incoming CHAP challenges. To enable CHAP, you must create an access profile, and you must configure the interfaces to use CHAP.

To configure a CHAP access profile, include the profile statement and specify a profile name at the [edit access] hierarchy level:

[edit access]

profile profile-name {

    client name chap-secret data;

}

For more information about configuring access profiles, see the JUNOS Internet Software Configuration Guide: Getting Started.

When you configure an interface to use CHAP, you must assign an access profile to the interface. When an interface receives CHAP challenges and responses, the access profile in the packet is used to look up the shared secret, as defined in RFC 1994.

To configure PPP CHAP on an interface with PPP encapsulation, include the chap statement at the [edit interfaces interface-name ppp-options] hierarchy level:

[edit interfaces interface-name ppp-options]

chap {

    access-profile name;

    local-name name;

    passive;

}

On each interface with PPP encapsulation, you can configure the following PPP CHAP properties:

• Assign an Access Profile to an Interface
• Configure the Local Name
• Configure Passive Mode

When you configure PPP over ATM or Multilink PPP over ATM encapsulation, you can enable CHAP on the logical interface. For more information, see Configure PPP over ATM 2 Encapsulation.