 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
For interfaces with PPP encapsulation, you can configure interfaces to support the Password Authentication Protocol (PAP), as defined in RFC 1334, PAP Authentication Protocols. If authentication is configured, the PPP link negotiates using CHAP or PAP protocol for authentication during the Link Control Protocol (LCP) negotiation phase. PAP is only performed after the link establishment phase (LCP up) portion of the authentication phase.
During authentication, the PPP link sends a PAP authentication-request packet to the peer with an ID and password. The authentication-request packet is sent every 2 seconds, similar to the CHAP challenge, until a response is received (acknowledgment packet, nonacknowledgment packet). If an acknowledgment packet is received, the PPP link transitions to the next state, the network phase. If a nonacknowledgment packet is received, an LCP terminate request is sent, and the PPP link goes back to the link establishment phase. If no response is received, and an optional retry counter is set to true, a new request acknowledgment packet is resent. If the retry counter expires, the PPP link transitions to the LCP negotiate phrase.
You can configure the PPP link with PAP in passive mode. By default, when PAP is enabled on an interface, the interface always sends authenticate-request packets to the peer, and requires that the peer acknowledge the authenticate-request packets. In passive mode, the router with the PPP link configured for PAP authenticates any incoming connections, but will not require the peer to authenticate its connection.
Both CHAP and PAP authentication can be configured on a PPP interface. If both are configured, CHAP is negotiated first. If CHAP authentication fails, PAP authentication is negotiated.
To enable PAP, you must create an access profile, and you must configure the interfaces to use PAP.
To configure a PAP access profile, include the profile statement and specify a profile name at the [edit access] hierarchy level:
- [edit access]
- profile profile-name {
- client name;
- pap-password password;
- }
For more information about configuring access profiles, see the JUNOS System Basics Configuration Guide.
When you configure an interface to use PAP, you must assign an access profile to the interface. When an interface receives PAP authentication requests, the access profile in the packet is used to look up the password.
If no matching access profile is found for the PAP authentication request that was received by the interface, the optionally configured default PAP password is used. For information about configuring the default PAP password, see Configuring PPP PAP Authentication.
To configure PPP PAP on a physical interface with PPP encapsulation, include the pap statement at the [edit interfaces interface-name ppp-options] hierarchy level:
- [edit interfaces interface-name ppp-options]
-
pap {
-
access-profile name;
-
local-name name;
- local-password password;
-
passive;
- }
To configure PPP PAP on a logical interface with PPP encapsulation, include the pap statement with options:
-
pap {
-
default-pap-password password;
-
local-name name;
- local-password password;
-
passive;
- }
You can include these statements at the following hierarchy levels:
For more information about configuring PAP for logical interfaces, see Configuring PPP PAP Authentication. For information about configuring tracing operations for PPP, see Tracing Operations of the pppd Process.
On each physical interface with PPP encapsulation, you can perform one of the following tasks:
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |