Ppp Logins - Lantronix SCS Reference Manual

Security

11.1.2 PPP Logins

This section covers authentication on ports dedicated to PPP or with PPPdetect enabled. If PPP will be
started from character mode, see Character Mode Logins on page 11-1.
To dedicate a port to PPP or enable PPPdetect, see Chapter 8, Ports.
Note:
11.1.2.1 CHAP and PAP
The username and password may be transmitted using CHAP (Challenge Handshake Authentication
Protocol) or PAP (Password Authentication Protocol). Each protocol goes through a negotiation sequence
to complete the authentication; see Chapter 4, Basic Remote Networking, for details.
To use CHAP or PAP to authenticate incoming callers, CHAP Remote or PAP Remote must be enabled on
the port accepting the call. One or both may be enabled, however, CHAP is recommended.
Figure 11-8: Enabling PAP and CHAP for Incoming Connections
Local>> DEFINE PORT 2 PPP CHAP REMOTE
Local>> DEFINE PORT 2 PPP PAP REMOTE
If both CHAP and PAP are configured for authentication, CHAP authentication will be attempted first. If
the remote host does not understand CHAP, PAP will be attempted instead. If neither CHAP nor PAP
successfully authenticates the caller, the connection is terminated.
11.1.2.2 Comparing Username/Password to Authentication Databases
If the username sent by the caller matches a site name, that site will be checked to determine if it has a local
password defined. The local password is the password expected from the incoming caller. Local Password
on page 11-2 describes how to configure and assign a local password to a site.
If the password entered matches the site's local password, the site will be started. If it does not match the
local password, or if the site does not have a local password defined, the SCS will check the next database
(according to the order of database precedence). See Database Configuration on page 11-9 for details.
Some databases are case-sensitive, so the login information must be entered in
Note:
the proper case in order for authentication to succeed. See the Database
Configuration section for more information.
A custom site will only be started if the username matches a site name and any password in an authentication
database. If the username doesn't match a site name, but matches a username/password pair in an
authentication database, a temporary site will be used for the connection.
If a matching username/password pair is not found in any authentication database, the connection attempt
will fail.
11.1.2.3 Offering Authentication Information to the Incoming Caller
If the incoming caller must authenticate the SCS, the port must have PAP Local or CHAP Local configured.
Use the Define Ports PPP CHAP Local or Define Ports PPP PAP Local command.
Local>> DEFINE PORT 2 PPP CHAP LOCAL
Local>> DEFINE PORT 2 PPP PAP LOCAL
Figure 11-9: Enabling CHAP and PAP Local
11-3
Incoming Authentication