Juniper JUNOSE SOFTWARE 11.0.X - LINK LAYER CONFIGURATION GUIDE 4-1-2010 Configuration Manual page 560

JUNOSe 11.0.x Link Layer Configuration Guide
NOTE: The JUNOSe software's PPP application accepts null usernames during PAP
and CHAP authentication. When the PPP application receives an authentication
request that includes a null username, PPP passes the request to AAA. To take
advantage of this feature, configure your authentication server to support the use of
null usernames.
530
Configuring a Dynamic Interface from a Profile
Use to require authentication from the PPP peer.
To specify the name of a virtual router (VR) to be used as the authentication VR
context, use the virtual-router keyword. Keep the following points in mind when
you use the ppp authentication virtual-router command:
When you specify a VR in the ppp authentication command, AAA does not
query the domain map for the assigned VR context. Instead, AAA uses the
VR specified in the ppp authentication command as the authentication VR
context and issues the authentication request to the authentication server
in the assigned VR context.
If you specify the default VR as the authentication VR context, AAA loosely
binds the user to the default VR. This means that RADIUS can override the
default VR context with a new VR context during the authentication process.
When the ppp authentication virtual-router command specifies the default
VR, AAA returns either the default VR or the VR specified by RADIUS.
If you specify a VR other than the default VR as the authentication VR, AAA
tightly binds the user to the specified VR. This means that RADIUS cannot
override the specified VR context with a new VR context during the
authentication process. When the ppp authentication virtual-router
command specifies a nondefault VR, AAA returns the specified VR.
If the VR specified in a profile with the ip virtual-router command differs
from the VR provided by AAA, IP uses the VR provided by AAA when the
dynamic IP upper-layer interface is created. For more information about
using the ip virtual-router command, see "ip virtual-router" on page 524.
The router supports the MD5 authentication algorithm for CHAP authentication.
Example 1 Specifies PAP or CHAP as the primary authentication protocol, and
the other authentication protocol as the alternative. For example, the following
command specifies pap as the primary authentication protocol and chap as the
alternate.
host1(config-if)#ppp authentication pap chap
The router requests the use of PAP as the authentication protocol (because it
appears first in the command line). If the peer refuses to use PAP, the router
requests the CHAP protocol. If the peer refuses to negotiate authentication, the
router terminates the PPP session.
Example 2 Specifies a virtual router for the authentication virtual router context.
This command is available in static configurations and in profiles.
host1(config-if)#ppp authentication virtual-router boston pap chap