Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - LINK LAYER CONFIGURATION GUIDE 2010-10-13 Configuration Manual page 312

JunosE 11.3.x Link Layer Configuration Guide
280
authentication virtual-router command specifies the default VR, AAA returns either
the default VR or the VR specified by RADIUS.
If you specify a VR other than the default VR as the authentication VR, AAA tightly
binds the user to the specified VR. This means that RADIUS cannot override the
specified VR context with a new VR context during the authentication process. When
the ppp authentication virtual-router command specifies a nondefault VR, AAA
returns the specified VR.
The router supports the MD5 authentication algorithm for CHAP authentication.
You can specify one or more authentication protocols in order of preference. If the peer
router refuses the first choice, then the local router requests the next authentication
protocol, if specified. If the peer refuses that protocol, then the local router requests
the third protocol, if specified. If the peer refuses all specified authentication protocols,
then the local router terminates the session.
Example 1—Specifies the order of preference for the primary authentication protocol
host1(config-if)#ppp authentication pap chap eap
The router requests the use of PAP as the authentication protocol (because it appears
first in the command line). If the peer refuses to use PAP, the router requests the CHAP
protocol. If the peer refuses to use CHAP, the router requests the EAP protocol. If the
peer refuses to negotiate authentication, the router terminates the PPP session.
Example 2—Specifies a virtual router for the authentication virtual router context
host1(config-if)#ppp authentication virtual-router boston pap chap
This command is available in static configurations and in profiles.
Example 3—Configures only EAP on a static PPP interface
host1(config)#interface atm 3/2.100
host1(config-subif)#ppp authentication eap
Example 4—Configures EAP or PAP on a static PPP interface
host1(config)#interface atm 3/2.100
host1(config-subif)#ppp authentication eap pap
EAP negotiation is attempted first. If PPP receives a NAK from the peer in response to
the EAP request, then PAP is attempted. If PAP is also rejected, then PPP terminates
the session.
Example 5—Configures only EAP on a dynamic PPP interface
host1(config)#profile ppptest
host1(config-profile)#ppp authentication eap
Example 6—Configures EAP or CHAP or PAP on a dynamic PPP interface
host1(config)#profile ppptest
host1(config-profile)#ppp authentication eap chap pap
In this example, the router first attempts EAP negotiation. If PPP receives a NAK from
the peer in response to the EAP request, then the router attempts CHAP negotiation.
Copyright © 2010, Juniper Networks, Inc.