HP VPN Firewall Appliances Network Management Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

131

132

133

134

135

136

137

138

139

140

110

Figure 60 PPP link establishment process

1. Initially, PPP is in Link Dead phase. After the physical layer goes up, PPP enters the Link

Establishment phase (Establish).

2. In the Link Establishment phase, the LCP negotiation is performed. The LCP configuration options

include Authentication-Protocol and MP. If the negotiation fails, LCP reports a Fail event, and PPP

returns to the Dead phase. If the negotiation succeeds, LCP enters the Opened state and reports an

Up event, indicating that the underlying layer link has been established. (At this time, the PPP link

is not established for the network layer, and network layer packets cannot be transmitted over the

link.)

3. If authentication is configured, the PPP link enters the Authentication phase, where PAP, CHAP,

MS-CHAP, or MS-CHAP-V2 authentication is performed. If the peer fails to pass the authentication,

the link reports a Fail event and enters the Link Termination phase, where the link is torn down and

LCP goes down. If the peer passes the authentication, a Success event is reported.

4. If a network layer protocol is configured, the PPP link enters the Network-Layer Protocol phase for

NCP negotiation, such as IPCP negotiation or IPv6CP negotiation. If the NCP negotiation succeeds,

the link goes up and becomes ready to carry negotiated network-layer protocol packets. If the

NCP negotiation fails, NCP reports a down event and enters the Link Termination phase.

5. If the interface is configured with an IP address, the IPCP negotiation is performed. IPCP

configuration options include IP addresses of the two ends, IP compression protocol, and DNS

server address. After the IPCP negotiation succeeds, the link can carry IP packets.

6. After the NCP negotiation is performed, the PPP link remains active until explicit LCP or NCP

frames close the link, or until some external events take place (for example, the intervention of a

user).

For more information about PPP, see RFC 1661.

PPP authentication

PPP provides authentication methods, which makes it viable to implement AAA on PPP links. Combining

PPP with AAA can perform authentication and accounting for peers and assign IP addresses to the peers

based on the authentication.

PPP supports the following authentication methods:

• PAP—PAP is a two-way handshake authentication protocol using the username and password.

PAP sends passwords in plain text over the network. If authentication packets are intercepted in

transit, network security might be threatened. For this reason, it is suitable only for low-security

environments.

• CHAP—CHAP is a three-way handshake authentication protocol using ciphertext passwords.

Two types of CHAP authentication exist: one-way CHAP authentication and two-way CHAP

authentication. In one-way CHAP authentication, the authenticator may or may not be configured

Dead Establish

Authenticate

Opened

Terminate Network

Down

Fail Fail

Success

/None

Closing