| Title: | Digital Brouters Conference |
| Notice: | New common-code brouter family: RouteAbout, DECswitch 900 |
| Moderator: | MARVIN::HART�LL |
| Created: | Mon Jul 17 1995 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 929 |
| Total number of notes: | 3736 |
Hi,
I setup a PPP connection to Ascend Router (over ISDN) using CHAP authentication
(like the one mentioned in 734.*).
Entry 734.9 says the following:
> Given this, you are right. If you do not want the ASCEND router to
> supply its ID and Password, then use "set lcp options" to set
> authentication to none. Use "set authentication local pap" to define
> the ID and Password which the RouteAbout will use to identify itself to
> the ASCEND router.
Using CHAP I must 'local' and 'remote' because I had to use "set authentication
remote chap" to define the ID and Password which the RouteAbout will use to
identify itself to other router.
Is this a bug or feature ? At least it is very confusing to use the 'same'
parameters in two different ways.
Best regards
Andreas
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 793.1 | exit | IROCZ::PARTRIDGE | Tue Mar 11 1997 15:38 | 13 | |
PAP and CHAP operate somewhat similar. PAP will send the password over
the net in the clear. Whereas CHAP will not. The process is a challenge
and reply exchange. One node challenging the other, the reply being
the password or secret PAP or CHAP. Both side needing to know what
the password or secret is to verify authenticity. Ergo you could set
it up one of two ways. Both sides with the local and remote ID's,
along with the Passwords or secrets. Or
With the server set up to authenticate, so that clients calling in
must know the server's id and secret/password.
Bob
| |||||
| 793.2 | Confused | TAGEIN::AURAND | Wed Mar 12 1997 09:39 | 10 | |
>> PAP and CHAP operate somewhat similar. PAP will send the password over
>> the net in the clear. Whereas CHAP will not.
But why is the the LOCAL ID/LOCAL PASSWORD parameter used under PAP to
send the authentication information to the other side, whereas under
CHAP I must set the REMOTE ID/REMOTE PASSWORD to send the information.
Many thanks for your help
Andreas
| |||||
| 793.3 | For example .. | KEEF::PETERS | Wed Mar 12 1997 10:14 | 33 | |
Andreas,
The documentation for V2 is confusing on this point and I am rewriting
it for V3.
If you consider two routers - Station A and Station B trying to set up
a call with authentication in one direction only, enabled on Station A:
With PAP, if Station A requests authentication, Station B responds
with its LOCAL ID/PASSWORD. Station A will compare these values with
its REMOTE ID/PASSWORD, and if they are the same the call will be
accepted. This means that if you enable PAP authentication on one
router, it is up to the other router to reply with its local
password/id.
With CHAP, if Station A requires authentication it sends an
authentication challenge to Station B, which builds a response based
on its REMOTE ID/PASSWORD. Station A verifies this response
by comparing it with the results it gets from its LOCAL ID/PASSWORD.
You can see that PAP and CHAP use the LOCAL/REMOTE ID and Password
differently. Another difference is that the ID and PASSWORD are
encrypted for CHAP, but are sent clear for PAP.
The PAP authentication procedure is only run when the call is being set
up, but with CHAP authentication challenges may be sent out
periodically. The end result is that CHAP provides a more secure
verification than PAP.
I hope this explanation helps.
Steve Peters
DRS Technical Writer.
| |||||
| 793.4 | TAGAUS::AURAND | Wed Mar 12 1997 12:02 | 5 | ||
Hi Steve,
many thanks for your explanation. The confusion has disappeared :-).
Andreas
| |||||