[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring Authentication

Perform the following optional tasks to configure authentication on interfaces with MLPPP encapsulation or MLPPP bundles.

Specify one or more PPP authentication types.
Modify the length of the CHAP challenge.

Specify the maximum number of retries.

Note: The JUNOSe software’s PPP application accepts null usernames during PAP and CHAP authentication. When the PPP application receives an authentication request that includes a null username, PPP passes the request to AAA. To take advantage of this feature, configure your authentication server to support the use of null usernames.

ppp authentication

Use to require authentication from the PPP peer.
To specify the name of a virtual router (VR) to be used as the authentication VR context, use the virtual-router keyword. Keep the following points in mind when you use the ppp authentication virtual-router command:
- When you specify a VR in the ppp authentication command, AAA does not query the domain map for the assigned VR context. Instead, AAA uses the VR specified in the ppp authentication command as the authentication VR context and issues the authentication request to the authentication server in the assigned VR context.
- If you specify the default VR as the authentication VR context, AAA loosely binds the user to the default VR. This means that RADIUS can override the default VR context with a new VR context during the authentication process. When the ppp authentication virtual-router command specifies the default VR, AAA returns either the default VR or the VR specified by RADIUS.
- If you specify a VR other than the default VR as the authentication VR, AAA tightly binds the user to the specified VR. This means that RADIUS cannot override the specified VR context with a new VR context during the authentication process. When the ppp authentication virtual-router command specifies a nondefault VR, AAA returns the specified VR.
The router supports the MD5 authentication algorithm for CHAP authentication.
Example 1—Specify PAP or CHAP as the primary authentication protocol, and the other authentication protocol as the alternative. For example, the following command specifies pap as the primary authentication protocol and chap as the alternate.host1(config-if)#ppp authentication pap chap
The router requests the use of PAP as the authentication protocol (because it appears first in the command line). If the peer refuses to use PAP, the router requests the CHAP protocol. If the peer refuses to negotiate authentication, the router terminates the PPP session.
Example 2—Specify a virtual router for the authentication virtual router context. This command is available in static configurations and in profiles. host1(config-if)#ppp authentication virtual-router boston pap chap
Use the no version to specify that the router does not require authentication.
See ppp authentication.

ppp chap-challenge-length

Use to modify the length of the CHAP challenge by specifying the allowable minimum length and maximum length.

Caution: Do not use the ppp chap-challenge-length command; increasing the minimum length (from the default 16 bytes) or decreasing the maximum length (from the default 32 bytes) reduces the security of your router.

Specify the minimum and maximum lengths in bytes in the range 8–63.
The maximum length must be greater than or equal to the minimum length.
Examplehost1(config-if)#ppp chap-challenge-length 24 28
Use the no version to restore the default minimum (16 bytes) and default maximum (32 bytes).
See ppp chap-challenge-length.

ppp max-bad-auth

Use to specify the maximum number of authentication retries the router allows before terminating a PPP session
This value applies to PAP and CHAP authentication.
The range is 0–7. The default is 0, which indicates that no retries are allowed.
Examplehost1(config-if)#ppp max-bad-auth 3
Use the no version to return the number of retries to the default, 0.
See ppp max-bad-auth.

[Contents] [Prev] [Next] [Index] [Report an Error]