ADTRAN 5000 Series Command Reference Manual page 953

Command Reference Guide
The PPP username and password database is separate and distinct from the global
username password database. For PAP and CHAP, use the database under the PPP
interface configuration.
Several example scenarios are given below for clarity.
Configuring PAP Example 1: Only the local router requires the peer to authenticate itself.
On the local router (hostname Local):
Local(config-ppp 1)#ppp authentication pap
Local(config-ppp 1)#username farend password far
On the peer (hostname Peer):
Peer(config-ppp 1)#ppp pap sent-username farend password far
The first line of the configuration sets the authentication mode as PAP. This means the peer is required to
authenticate itself to the local router via PAP. The second line is the username and password expected to
be sent from the peer. On the peer, the ppp pap sent-username command is used to specify the
appropriate matching username and password.
Configuring PAP Example 2: Both routers require the peer to authenticate itself.
On the local router (hostname Local):
Local(config-ppp 1)#ppp authentication pap
Local(config-ppp 1)#username farend password far
Local(config-ppp 1)#ppp pap sent-username nearend password near
On the peer (hostname Peer):
Peer(config-ppp 1)#ppp authentication pap
Peer(config-ppp 1)#username nearend password near
Peer(config-ppp 1)#ppp pap sent-username farend password far
Now both routers send the authentication request, verify that the username and password sent match what
is expected in the database, and send an authentication acknowledge.
Defining CHAP
The Challenge-Handshake Authentication Protocol (CHAP) is a three-way authentication protocol
composed of a challenge response and success or failure. The MD5 protocol is used to protect usernames
and passwords in the response.
First, the local router (requiring its peer to be authenticated) sends a "challenge" containing the
unencrypted username of the peer and a random number. The username of the peer is found in the
username database within the PPP interface of the local router. The peer then looks up the username in
the username database within the PPP interface, and if found takes the corresponding password and its
own hostname and sends a "response" back to the local router. This data is encrypted. The local router
verifies that the username and password are in its own username database within the PPP interface, and if
so sends a "success" back to the peer.
61200990L1-35E
PPP Interface Configuration Command Set
Copyright © 2005 ADTRAN 953