Bay Networks 6300 Supplement Manual page 324

Chapter 15 Using RA 6300 Security
Remote Annex 6300 Supplement to the Remote Annex Administrator's Guide for UNIX
A-296
If the slip_ppp_security parameter is set to Y, the RA 6300 sends the
username, challenge message, and challenge response to ACP for
authentication. The RA 6300 uses local security when ACP is unavailable
and the port_password parameter is set; local security ignores the user
name and checks the response against port_password using the
port_password to encrypt the challenge message. If the port_password
parameter is not set, the link fails.
Receiving a CHAP Challenge
When the RA 6300 receives a challenge, the challenge and the secret
token (the ppp_password_remote parameter value) are used to generate
a response message (the name field is set to the ppp_username_remote
parameter value). The value in the response message is a result of running
MD5 encryption on the secret token and the value in the challenge
message. If the RA 6300 receives a success message, the link enters (or
remains in) NCP negotiation; otherwise, the link is terminated.
The RA 6300 negotiates an authentication challenge from a peer only
if the ppp_password_remote and ppp_username_remote
parameters are set for this session.
CHAP does not use the acp_regime file.
Sending a CHAP Challenge
When the RA 6300 sends a challenge to the peer (remote node requesting
a link), it includes the chap_auth_name parameter value as the name
field and a randomly generated number as the value field.
If ACP is used, after receiving the peer's response, the RA 6300 passes
the following items to the ACP server: chap username, challenge, and the
peer's response (id and challenge response).
The ACP server combines the secret, challenge, and id to create an
expected response. The ACP server then compares the response it created
with the one it received from the RA 6300.
Book A