H3C SR6600 Configuration Manual page 38

Layer 2 – wan configuration

Hide thumbs Also See for SR6600:

Command reference manual (265 pages)

Fundamentals configuration manual (184 pages)

Configuration manual (143 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

Table of Contents

Figure 2-1 PAP Authentication

During PAP authentication, the password is transmitted on the link in plain text. In addition, the

authenticatee sends the username and the password repeatedly through the established PPP link until

the authentication is over. Therefore, PAP is not a secure authentication protocol. It cannot prevent

attacks.

CHAP authentication

CHAP is a three-way handshake authentication protocol using cipher text password.

Currently, two types of CHAP authentication exist: one-way CHAP authentication and two-way CHAP

authentication. By one-way CHAP authentication, one side of the link acts as the authenticator and the

other acts as the authenticatee. By two-way authentication, each side serves as both the authenticator

and the authenticatee. Normally, one-way CHAP authentication is adopted.

In one-way CHAP authentication, the authenticator may or may not be configured with a username. It is

recommended that you configure a username for the authenticator, which makes it easier to identify the

authenticator.

If the authenticator is configured with a username, CHAP authentication is performed as follows:

The authenticator initiates an authentication by sending a randomly-generated packet (Challenge)

to the authenticatee. The packet carries the local username with it in addition.

When the authenticatee receives the authentication request, it searches the local user list for the

password of the username carried in the received packet, encrypts the packet using the MD5

algorithm, with the packet ID and the password as the parameters, and then sends the encrypted

packet and the local username to the authenticator (Response).

The authenticator encrypts the original randomly-generated packet using the MD5 algorithm, with

the password of the authenticatee it maintains as the parameter, compares the encrypted packet

with the one received from the authenticatee, and returns an Acknowledge or Not Acknowledge

packet depending on the comparison result.

If the authenticator is not configured with a username, the CHAP authentication is performed as follows:

The authenticator initiates an authentication by sending a randomly-generated packet (Challenge)

to the authenticatee.

When the authenticatee receives the authentication request, it encrypts the packet using the MD5

algorithm, with the packet ID and the default CHAP password as the parameters, and then sends

the encrypted packet and its own username to the authenticator (Response).

2-28

Table of Contents

H3C SR6600 Configuration Manual page 38

Troubleshooting

Related Products for H3C SR6600

H3C SR6600 Configuration Manual page 38

Troubleshooting

Related Manuals for H3C SR6600

Related Products for H3C SR6600

Table of Contents