Two types of authentication are supported: Password Authentication Protocol (PAP) and Challenge-Handshake Authentication Protocol (CHAP). CHAP uses the authentication algorithm Message Digest Algorithm (MDS).

If both CHAP and PAP are configured, CHAP will be requested first. If CHAP is rejected or PAP is suggested in a Configuration-NAK, PAP will be requested.

If PAP is negotiated, the host which must authenticate itself must send a PAP message containing a valid user name and password after the LCP phase. If the host fails to authenticate itself, the connection is shut down.

If CHAP is negotiated, the authenticator will send a challenge message after the LCP phase randomly during the NCP (READY) phase. If no response is received, the challenge will be retried as per the configuration options. A successful response is sent if a correct response is received. If an incorrect response is received, a failure response is sent and the connection is shut down. If no response is received after all retries have been sent, the connection is shut down.

A CHAP challenge message contains a value and the host name of the sender. The remote host looks up the secret associated with the authenticator's host. The secret along with the value are used by the MD5 algorithm to calculate the result. The result along with the local host name is sent back to the authenticator. The authenticator looks up the secret based upon the remote host's name. The secret along with the value are passed to the MD5 algorithm. If the calculated result does not match the result in the challenge response, a failure response is sent to the remote host and the connection is shut down. If the result matches, a success response is sent to the remote host.

Left PPP

PPP Commands