| PAP and CHAP operate somewhat similar. PAP will send the password over
the net in the clear. Whereas CHAP will not. The process is a challenge
and reply exchange. One node challenging the other, the reply being
the password or secret PAP or CHAP. Both side needing to know what
the password or secret is to verify authenticity. Ergo you could set
it up one of two ways. Both sides with the local and remote ID's,
along with the Passwords or secrets. Or
With the server set up to authenticate, so that clients calling in
must know the server's id and secret/password.
Bob
|
| Andreas,
The documentation for V2 is confusing on this point and I am rewriting
it for V3.
If you consider two routers - Station A and Station B trying to set up
a call with authentication in one direction only, enabled on Station A:
With PAP, if Station A requests authentication, Station B responds
with its LOCAL ID/PASSWORD. Station A will compare these values with
its REMOTE ID/PASSWORD, and if they are the same the call will be
accepted. This means that if you enable PAP authentication on one
router, it is up to the other router to reply with its local
password/id.
With CHAP, if Station A requires authentication it sends an
authentication challenge to Station B, which builds a response based
on its REMOTE ID/PASSWORD. Station A verifies this response
by comparing it with the results it gets from its LOCAL ID/PASSWORD.
You can see that PAP and CHAP use the LOCAL/REMOTE ID and Password
differently. Another difference is that the ID and PASSWORD are
encrypted for CHAP, but are sent clear for PAP.
The PAP authentication procedure is only run when the call is being set
up, but with CHAP authentication challenges may be sent out
periodically. The end result is that CHAP provides a more secure
verification than PAP.
I hope this explanation helps.
Steve Peters
DRS Technical Writer.
|