Configuring Point-To-Point Protocol; Authentication; Rate Limiting For Ppp Control Packets; Extensible Authentication Protocol - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - LINK LAYER CONFIGURATION GUIDE 2010-10-13 Configuration Manual
Software for e series broadband services routers link layer configuration guide
Table of Contents
Advertisement
Authentication
Rate Limiting for PPP Control Packets
Extensible Authentication Protocol
Figure 34: Authentication with EAP
Copyright © 2010, Juniper Networks, Inc.
The router acts as an authenticator. It demands authentication from a remote PPP peer
but refuses to authenticate itself.
The router implements rate limiting for PPP control packets to protect the corresponding
PPP interface from denial-of-service (DoS) attacks. The interface discards control
packets when the rate of control packets received exceeds the rate limit for PPP
interfaces.
A PPP interface has a rate limit control that is non-configurable and always in effect; the
rate limit is the same for all PPP interfaces. In addition, each interface instance maintains
its own state and statistics counters for tracking the rate. The rate limit for PPP control
packets is approximately 10 packets per second.
For a PPP interface, the router increments the discards counter in the show ppp interface
command display to track the number of PPP control packets discarded on receipt (in)
or discarded before they were transmitted (out) on this interface.
For examples of the show ppp interface command display, see "show ppp interface" on
page 283.
The JunosE Software supports Extensible Authentication Protocol (EAP) for
authenticating a peer before allowing network layer protocols to transmit over the link.
EAP supports multiple authentication methods, including EAP-TLS and
EAP-MD5-Challenge. The EAP server and the peer negotiate the specific authentication
method to be used. Figure 34 on page 263 illustrates the three components required for
EAP: an EAP authenticator, an EAP server, and an EAP client.
After LCP negotiation, JunosE starts the EAP negotiation process by initiating an identity
exchange with the EAP client on the peer. The router sends an EAP identity request packet
to the peer, which replies with an EAP identity response packet. After this exchange, the
E Series router acts only as a pass-through device, enabling the EAP server residing on
the backend authentication server to select and negotiate the particular EAP
authentication method directly with the EAP client on the peer.
The JunosE Software forwards or discards packets received from the backend
authentication router and the peer depending on the identifying code contained in the
packet.
The E Series router forwards:
Chapter 8: Configuring Point-to-Point Protocol
263
Advertisement
Chapters
Table of Contents
Troubleshooting
