Pap/chap authentication – USRobotics NETServer/8 User Manual

LAN-to-LAN Routing 6-9

PAP/CHAP Authentication

The NETServer supports auto-detecting the PAP and CHAP
methods of login authentication on PPP connections. If a user
dials in and starts sending PPP packets, the NETServer asks that
the user log in with PAP (enter a user name and password). If
the user refuses PAP authentication, the NETServer demands
CHAP authentication. If this is also refused, the NETServer
hangs up.

Security Note:

PAP is a less secure authentication method than

CHAP since user names and passwords are passed over the link
in “clear text” (in other words, they are not encrypted). For this
reason, it is possible to force CHAP authentication by disabling
PAP support. The command to do this is:

set pap off

PAP (Password Authentication Protocol)

PAP is simply a fancy way of saying that the dialing user or
system will respond to the User Name and Password prompts
given by the authenticating system. Although the NETServer
will not initiate dial out PAP authentication, you can accomplish
the same effect by creating a dial script containing the expected
prompts and the required responses.

However, the NETServer will respond to a dial-in PAP authenti-
cation request. All that is needed is a User Table entry for the
remote device.

CHAP (Challenge Handshake Authentication Protocol)

Instead of actually sending a password over the link, CHAP
relies on a “shared secret”, a password that both sides of the
connection know, but never send. When a remote system
requests CHAP authentication, the authenticating host replies
with a challenge packet. The challenge packet contains (among
other things):

•

A user name for the host. The challenged system needs this
to look up the correct “shared secret” password.