QTECH SmartEdge 100 PPP and PPPoE User Manual

Configuring PPP and PPPoE

bind a PPP-encapsulated ATM PVC to an interface on the basis of
authentication.

If you use the bind subscriber command (in ATM PVC configuration mode),
the PPP-encapsulated PVC is brought up unauthenticated, meaning that no
authentication data is received from the PPP remote peer. The subscriber
name and password are then supplied through the command-line interface
(CLI), similar to a PVC with RFC 1483 bridged- or routed-encapsulation.

The bind authentication command allows you to specify the
authentication protocol to be used in negotiating the PPP link. If you use
the chap pap construct, for example, you indicate that both the Challenge
Handshake Authentication Protocol (CHAP) and the Password Authentication
Protocol (PAP) can be used, with CHAP negotiated first. CHAP uses a
challenge and response protocol to provide authentication without sending clear
text passwords over the network. The CHAP challenge value is sent in both the
Request Authenticator field and the CHAP-Challenge Attribute (60) field of the
RADIUS Access-Request messages. Other authentication protocol options are
available. For a complete description of all options, see the description of the
bind authentication

command in the document, Configuring Bindings

If you are using remote authentication using the Remote Authentication Dial-In
User Service (RADIUS), the local subscriber records are replaced by the
corresponding subscriber records in the RADIUS database.

If you are using the CHAP, PAP, or both authentication protocols, the response
from the RADIUS server (in attribute 18) is forwarded to the PPP client with the
reason for the acceptance or rejection of the subscriber.

Another binding option is to use the bind authentication command with
the optional context

ctx-name

construct to create a restricted dynamic

binding of a PPP-encapsulated PVC to a specific context; this binding method
denies the subscriber the ability to dynamically select a context (service).

An IP address is required. This IP address is assigned to the remote end of
the PPP link, and there must be an interface with an IP address or network
mask range that includes the IP address assigned to a subscriber during the IP
Control Protocol (IPCP) or IPv6 Control Protocol (IPv6CP) phase of PPP (or that
includes the IP address that has been directly configured for the subscriber).
RADIUS servers must return an IP address for the subscriber that falls within
the range of the interface that is configured in the appropriate context.

If the authentication procedure is successful, the PPP link is established and
the circuit is implicitly bound to the interface with a network address mask that
includes the address of the remote PPP endpoint. If no such interface exists,
then the bind command fails.

Note:

When a second PPP session attempts to authenticate using an

IP address that is already in use by an established session, the
established session is terminated, and the second session is allowed to
complete authentication.

2

64/1543-CRA 119 1170/1 Uen K

|

2012-12-04