Enterasys Networks CSX6000 User Manual
Page 176
USER’S GUIDE
176 CyberSWITCH
Note:
If a system is brought on line with a device that has a required Calling Line Id that is a
duplicate of another device’s Calling Line Id, and no other type of authentication is used,
a warning message is logged at initialization. Every attempt to connect the device
thereafter will result in an error message being logged and the call being rejected.
PAP P
ASSWORD
S
ECURITY
PAP Security provides a method for the Device to identify itself to the system using a 2-way
handshake. If PAP Password Security is enabled, and a PAP Password has been configured for the
Device, the following holds true:
•
After the initial connection is made, the Device Name and Password are repeatedly sent by the
remote device to the system. The system will look up the received Device Name in the Device
List.
•
If the Device Name is not found, the call is disconnected.
•
If the Device Name is found the system will validate the password.
•
If the password does not match, the call will be disconnected.
•
If PAP Password Security is enabled, and a PAP Password has not been configured for the De-
vice, Password validation is not performed.
CHAP C
HALLENGE
S
ECURITY
An authentication phase between the remote device and the system begins with sending a CHAP
challenge request to the remote device. The CHAP request contains a string of bytes known as the
challenge value, which is changed on each challenge. Using the hash algorithm associated with
CHAP, the remote device transforms the challenge value plus its secret into a response value. The
remote device sends this output of the hash function, along with its symbolic name, to the system
in a CHAP response.
Within the Device Table entry for each remote device which will be authenticated via CHAP, the
system maintains the remote device’s secret. The name in the remote device’s CHAP response is
used to locate the Device Table entry, and consequently the secret used by the remote device. Using
the same hash function, the system computes the expected response value for the challenge with
that secret. If this matches the response value sent by the remote device, a successful authentication
has occurred. The system can optionally be configured to repeat the CHAP challenge process
periodically throughout the life of the connection. An invalid response to a CHAP challenge at any
time is deemed a security violation, which causes a switched link to be released.
PAP
Authentication
CHAP
Authentication
Bridge MAC
Address
Authentication
Calling Line Id
Authentication
Yes
No
No
Optional
Duplicates allowed for
these Devices.
No
Yes
No
Optional
Duplicates allowed for
these Devices.
No
No
Yes
Optional
Duplicates allowed for
these Devices.
No
No
No
Required
Duplicates not allowed.