Juniper JUNOSE SOFTWARE 11.2.X - LINK LAYER CONFIGURATION GUIDE 7-7-2010 Configuration Manual page 343

ppp authentication
ppp chap-challenge-length
Copyright © 2010, Juniper Networks, Inc.
NOTE: The JunosE Software's PPP application accepts null usernames during PAP and
CHAP authentication. When the PPP application receives an authentication request
that includes a null username, PPP passes the request to AAA. To take advantage of
this feature, configure your authentication server to support the use of null usernames.
Use to require authentication from the PPP peer.
To specify the name of a virtual router (VR) to be used as the authentication VR context,
use the virtual-router keyword. Keep the following points in mind when you use the
ppp authentication virtual-router command:
When you specify a VR in the ppp authentication command, AAA does not query
the domain map for the assigned VR context. Instead, AAA uses the VR specified in
the ppp authentication command as the authentication VR context and issues the
authentication request to the authentication server in the assigned VR context.
If you specify the default VR as the authentication VR context, AAA loosely binds
the user to the default VR. This means that RADIUS can override the default VR
context with a new VR context during the authentication process. When the ppp
authentication virtual-router command specifies the default VR, AAA returns either
the default VR or the VR specified by RADIUS.
If you specify a VR other than the default VR as the authentication VR, AAA tightly
binds the user to the specified VR. This means that RADIUS cannot override the
specified VR context with a new VR context during the authentication process. When
the ppp authentication virtual-router command specifies a nondefault VR, AAA
returns the specified VR.
The router supports the MD5 authentication algorithm for CHAP authentication.
Example 1—Specify PAP or CHAP as the primary authentication protocol, and the other
authentication protocol as the alternative. For example, the following command
specifies pap as the primary authentication protocol and chap as the alternate.
host1(config-if)#ppp authentication pap chap
The router requests the use of PAP as the authentication protocol (because it appears
first in the command line). If the peer refuses to use PAP, the router requests the CHAP
protocol. If the peer refuses to negotiate authentication, the router terminates the PPP
session.
Example 2—Specify a virtual router for the authentication virtual router context. This
command is available in static configurations and in profiles.
host1(config-if)#ppp authentication virtual-router boston pap chap
Use the no version to specify that the router does not require authentication.
See ppp authentication.
Chapter 9: Configuring Multilink PPP
311