Manualshelf

R3303-HP HSR6800 Routers Layer 2 - WAN Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
31323334353637383940
29
4. If a network layer protocol is configured, the PPP link enters the Network-Layer Protocol phase for
NCP negotiation, such as IPCP negotiation or IPv6CP negotiation. If the NCP negotiation succeeds,
the link goes up and becomes ready to carry negotiated network-layer protocol packets. If the
NCP negotiation fails, NCP reports a down event and enters the Link Termination phase.
5. If the interface is configured with an IP address, the IPCP negotiation is performed. IPCP
configuration options include IP addresses of the two ends, IP compression protocol, and DNS
server address. After the IPCP negotiation succeeds, the link can carry IP packets.
6. After the NCP negotiation is performed, the PPP link remains active until explicit LCP or NCP
frames close the link, or until some external events take place (for example, the intervention of a
user).
For more information about PPP, see RFC 1661.
PPP authentication
PPP provides authentication methods, which makes it viable to implement AAA on PPP links. Combining
PPP with AAA can perform authentication and accounting for supplicants and assign IP addresses to the
supplicants based on the authentication.
PPP supports the following authentication methods:
PAP—PAP is a two-way handshake authentication protocol using the username and password.
PAP sends passwords in plain text over the network. If authentication packets are intercepted in
transit, network security might be threatened. For this reason, it is suitable only for low-security
environments.
CHAP—CHAP is a three-way handshake authentication protocol using ciphertext passwords.
Two types of CHAP authentication exist: one-way CHAP authentication and two-way CHAP
authentication. In one-way CHAP authentication, the authenticator can be optionally configured
with a username. HP recommends that you configure a username for the authenticator, which
makes it easier for the supplicant to verify the identity of the authenticator.
CHAP transmits usernames but not passwords over the network; or rather, it does not directly
transmit passwords and transmits the result calculated from the password and random packet ID
by using the MD5 algorithm. Therefore, it is more secure than PAP.
MS-CHAP—MS-CHAP is a three-way handshake authentication.
MS-CHAP differs from CHAP as follows:
{ MS-CHAP is enabled by negotiating CHAP Algorithm 0x80 in LCP option 3, Authentication
Protocol.
{ MS-CHAP provides authentication retry. With this mechanism, if the supplicant fails
authentication, it is allowed to retransmit authentication information to the authenticator for
reauthentication. The authenticator allows a supplicant to retransmit three times.
MS-CHAP-V2—MS-CHAP-V2 is a three-way handshake authentication protocol.
MS-CHAP differs from CHAP as follows:
{ MS-CHAP-V2 is enabled by negotiating CHAP Algorithm 0x81 in LCP option 3, Authentication
Protocol.
{ MS-CHAP-V2 provides two-way authentication by piggybacking a supplicant challenge on the
Response packet and an authenticator response on the Acknowledge packet.
{ MS-CHAP-V2 supports authentication retry. With this mechanism, if the supplicant fails
authentication, it is allowed to retransmit authentication information to the authenticator for
reauthentication. The authenticator allows a supplicant to retransmit three times.