Technical Documentation
New
Requesting Authentication from a PPP Peer
You can optionally request for authentication from a PPP peer and set the authentication method. The order of preference of the authentication protocol depends on the order in which you specify the authentication protocol in the command line. If the peer refuses the first authentication protocol, the router requests the second authentication protocol. If the peer refuses to negotiate authentication, the router terminates the PPP session.
You can also specify the authentication virtual router context. You can request for authentication from a PPP peer from the Interface Configuration Mode, the Subinterface Configuration Mode and the Profile Configuration Mode.
 | Note: When you specify a VR in the ppp authentication command, AAA does not query the domain map for the assigned VR context. Instead, AAA uses the VR specified in the ppp authentication command as the authentication VR context and issues the authentication request to the authentication server in the assigned VR context. If you specify the default VR as the authentication VR context, AAA loosely binds the user to the default VR. This means that RADIUS can override the default VR context with a new VR context during the authentication process. When the ppp authentication virtual-router command specifies the default VR, AAA returns either the default VR or the VR specified by RADIUS. If you specify a VR other than the default VR as the authentication VR, AAA tightly binds the user to the specified VR. This means that RADIUS cannot override the specified VR context with a new VR context during the authentication process. When the ppp authentication virtual-router command specifies a nondefault VR, AAA returns the specified VR. |
To specify the order of preference for the primary authentication protocol:
- (Optional) From the Interface Configuration mode, specify
the following command:host1(config-if)#ppp authentication pap chap eap
Use the no version to specify that the router does not require authentication.
The router requests the use of PAP as the authentication protocol (because it appears first in the command line). If the peer refuses to use PAP, the router requests the CHAP protocol. If the peer refuses to use CHAP, the router requests the EAP protocol. If the peer refuses to negotiate authentication, the router terminates the PPP session.
To specify a virtual router for the authentication virtual router context:
- (Optional) From the Interface Configuration mode, specify
the following command:host1(config-if)#ppp authentication virtual-router boston pap chap
Use the no version to specify that the router does not require authentication.
This command is available in static configurations and in profiles.
To configure EAP as the only authentication protocol on a static PPP interface:
- (Optional) From the Global Configuration mode, specify
the following command:host1(config)#interface atm 3/2.100
- (Optional) From the Subinterface Configuration mode, specify
the following command:host1(config-subif)#ppp authentication eap
Use the no version to specify that the router does not require authentication.
To configure EAP as the only authentication protocol on a dynamic PPP interface:
- (Optional) From the Global Configuration mode, specify
the following command:host1(config)#profile ppptest
- (Optional) From the Profile Configuration mode, specify
the following command:host1(config-profile)#ppp authentication eap
Use the no version to specify that the router does not require authentication.
