Configuring PPP Authentication

Perform the following optional tasks to configure PPP authentication:

• Specify one or more PPP authentication types, and select an authentication virtual router context.
• Specify the CHAP challenge length.
• Specify the maximum number of retries.

  Note: The JUNOSe software’s PPP application accepts null usernames during PAP and CHAP authentication. When the PPP application receives an authentication request that includes a null username, PPP passes the request to AAA. To take advantage of this feature, configure your authentication server to support the use of null usernames.

ppp authentication

• Use to request authentication from a PPP peer and set the authentication method.
• To specify the name of a virtual router (VR) to be used as the authentication VR context, use the virtual-router keyword. Keep the following points in mind when you use the ppp authentication virtual-router command:
  • When you specify a VR in the ppp authentication command, AAA does not query the domain map for the assigned VR context. Instead, AAA uses the VR specified in the ppp authentication command as the authentication VR context and issues the authentication request to the authentication server in the assigned VR context.
  • If you specify the default VR as the authentication VR context, AAA loosely binds the user to the default VR. This means that RADIUS can override the default VR context with a new VR context during the authentication process. When the ppp authentication virtual-router command specifies the default VR, AAA returns either the default VR or the VR specified by RADIUS.
  • If you specify a VR other than the default VR as the authentication VR, AAA tightly binds the user to the specified VR. This means that RADIUS cannot override the specified VR context with a new VR context during the authentication process. When the ppp authentication virtual-router command specifies a nondefault VR, AAA returns the specified VR.
• The router supports the MD5 authentication algorithm for CHAP authentication.
• You can specify one or more authentication protocols in order of preference. If the peer router refuses the first choice, then the local router requests the next authentication protocol, if specified. If the peer refuses that protocol, then the local router requests the third protocol, if specified. If the peer refuses all specified authentication protocols, then the local router terminates the session.
• Example 1—Specifies the order of preference for the primary authentication protocol

  host1(config-if)#ppp authentication pap chap eap

  The router requests the use of PAP as the authentication protocol (because it appears first in the command line). If the peer refuses to use PAP, the router requests the CHAP protocol. If the peer refuses to use CHAP, the router requests the EAP protocol. If the peer refuses to negotiate authentication, the router terminates the PPP session.

• Example 2—Specifies a virtual router for the authentication virtual router context

  host1(config-if)#ppp authentication virtual-router boston pap chap

  This command is available in static configurations and in profiles.

• Example 3—Configures only EAP on a static PPP interface

  host1(config)#interface atm 3/2.100

  host1(config-subif)#ppp authentication eap

• Example 4—Configures EAP or PAP on a static PPP interface

  host1(config)#interface atm 3/2.100

  host1(config-subif)#ppp authentication eap pap

  EAP negotiation is attempted first. If PPP receives a NAK from the peer in response to the EAP request, then PAP is attempted. If PAP is also rejected, then PPP terminates the session.

• Example 5—Configures only EAP on a dynamic PPP interface

  host1(config)#profile ppptest

  host1(config-profile)#ppp authentication eap

• Example 6—Configures EAP or CHAP or PAP on a dynamic PPP interface

  host1(config)#profile ppptest

  host1(config-profile)#ppp authentication eap chap pap

  In this example, the router first attempts EAP negotiation. If PPP receives a NAK from the peer in response to the EAP request, then the router attempts CHAP negotiation. If PPP receives a NAK from the peer in response to the CHAP request, then the router attempts PAP negotiation. If PAP is also rejected, then PPP terminates the session.

• Use the no version to specify that the router does not require authentication.
• See ppp authentication.

ppp chap-challenge-length

• Use to modify the length of the CHAP challenge by specifying the allowable minimum length and maximum length.
• Specify the minimum and maximum lengths in bytes in the range 8–63.

  Caution: Do not decrease the range. Increasing the range is acceptable, provided that you do not lower the minimum to do so. The recommended minimum is 16. A longer challenge and a more unpredictable challenge length provide a higher level of security.

• The maximum length must be greater than or equal to the minimum length.
• Example

  host1(config-if)#ppp chap-challenge-length 24 28

• Use the no version to restore the default minimum (16 bytes) and default maximum (32 bytes).
• See ppp chap-challenge-length.

ppp max-bad-auth

• Use to specify the maximum number of authentication retries the router allows before terminating a PPP session
• This value applies to PAP and CHAP authentication.
• The range is 0–7. The default is 0, which indicates that no retries are allowed.
• Example

  host1(config-if)#ppp max-bad-auth 3

• Use the no version to return the number of retries to the default, 0.
• See ppp max-bad-auth.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.