Bay Networks 6300 Supplement Manual page 325

Book A
Remote Annex 6300 Supplement to the Remote Annex Administrator's Guide for UNIX
If the responses are identical, the ACP server sends a success code to the
RA 6300. If not, it sends a failure code.
Upon receiving a success code, the RA 6300 allows the link to be
established. When receiving a failure code, the RA 6300 prevents it from
being established.
The Annex sends a challenge only if the enable_security and
slip_ppp_security parameters are set to Y, the ppp_security_protocol
parameter is set to chap, and CHAP is ACKed during LCP. If the RA 6300
is ACKed for CHAP, it will seek only one valid response.
The RA 6300 terminates a link if it cannot authenticate a challenge. If
the RA 6300 does not receive a response to a challenge within the
allotted time-out, it re-issues the challenge for the defined number of
retries.
ACP logging for CHAP includes the standard PPP login and reject. It
also logs whether or not a chap secret was found in the acp_userinfo file
(for more details on security logging, as well as a sample log file, see
Host-based Security Logging on page B-33).
Re-issuing a CHAP Challenge
By default, the RA 6300 sends a challenge only once, at the time the link
is established. Optionally, you can configure the RA 6300 to re-issue a
challenge at random intervals ranging from one second to the maximum
number of seconds you specify. To do so, set the Annex security parameter
max_chap_chall_int to a value between 1 and 65535 (approximately
18.2 hours). The following example sets the maximum interval to 3600
(two hours). The RA_6300 will send a challenge at random intervals
between 1 second and two hours over the course of the connection.
admin: set annex max_chap_chall_int 3600
The max_chap_chall_int default is 0, which disables the re-issuing of
challenges.
Chapter 15 Using RA 6300 Security
A-297