Configuring PPP authentication
You can configure several authentication modes simultaneously. In LCP negotiation, the authenticator negotiates with the peer in the sequence of configured authentication modes until the LCP negotiation succeeds. If the response packet from the peer carries a recommended authentication mode, the authenticator directly uses the authentication mode if it finds the mode configured.
Configuring PAP authentication
To configure the authenticator:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Configure the authenticator to authenticate the peer by using PAP. | ppp authentication-mode pap [ [ call-in ] domain { isp-name | default enable isp-name } ] | By default, PPP authentication is disabled. |
4. Configure local or remote AAA authentication. | For local AAA authentication, the username and password of the peer must be configured on the authenticator. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide. | The username and password configured for the peer must be the same as those configured on the peer. |
To configure the peer:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Configure the PAP username and password sent from the peer to the authenticator when the peer is authenticated by the authenticator by using PAP. | ppp pap local-user username password { cipher | simple } string | By default, when being authenticated by the authenticator by using PAP, the peer sends null username and password to the authenticator. For security purposes, the password specified in plaintext form and ciphertext form will be stored in encrypted form. |
Configuring CHAP authentication
Depending on whether the authenticator is configured with a username, the configuration of CHAP authentication includes the following types:
Configuring CHAP authentication when the authenticator name is configured
To configure the authenticator:
Step
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface interface-type interface-number
N/A
3. Configure the authenticator to authenticate the peer by using CHAP.
ppp authentication-mode chap [ [ call-in ] domain { isp-name | default enable isp-name } ]
By default, PPP authentication is disabled.
4. Configure a username for the CHAP authenticator.
ppp chap user username
The default setting is null.
The username you configure for the authenticator must be the same as the local username you configure for the authenticator on the peer.
5. Configure local or remote AAA authentication.
For local AAA authentication, the username and password of the peer must be configured on the authenticator.
For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server.
For more information about AAA authentication, see Security Configuration Guide.
The username configured for the peer must be the same as that configured on the peer.
The passwords configured for the authenticator and peer must be the same.
To configure the peer:
Step
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface interface-type interface-number
N/A
3. Configure a username for the CHAP peer.
ppp chap user username
The default setting is null.
The username you configure for the peer here must be the same as the local username you configure for the peer on the authenticator.
4. Configure local or remote AAA authentication.
For local AAA authentication, the username and password of the authenticator must be configured on the peer.
For remote AAA authentication, the username and password of the authenticator must be configured on the remote AAA server.
For more information about AAA authentication, see Security Configuration Guide.
The username configured for the authenticator must be the same as that configured on the authenticator.
The passwords configured for the authenticator and peer must be the same.
Configuring CHAP authentication when no authenticator name is configured
To configure the authenticator:
Step
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface interface-type interface-number
N/A
3. Configure the authenticator to authenticate the peer by using CHAP.
ppp authentication-mode chap [ [ call-in ] domain { isp-name | default enable isp-name } ]
By default, PPP authentication is disabled.
4. Configure local or remote AAA authentication.
For local AAA authentication, the username and password of the peer must be configured on the authenticator.
For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server.
For more information about AAA authentication, see Security Configuration Guide.
The username configured for the peer must be the same as that configured on the peer.
The passwords configured for the authenticator and peer must be the same.
To configure the peer:
Step
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface interface-type interface-number
N/A
3. Configure a username for the CHAP peer.
ppp chap user username
The default setting is null.
The username you configure on the peer must be the same as the local username you configure for the peer on the authenticator.
4. Set the CHAP authentication password.
ppp chap password { cipher | simple } string
The default setting is null.
The password you set on the peer must be the same as the password you set for the peer on the authenticator.
For security purposes, the password specified in plaintext form and ciphertext form will be stored in encrypted form.
Configuring MS-CHAP or MS-CHAP-V2 authentication
When you configure MS-CHAP or MS-CHAP-V2 authentication, follow these guidelines:
The device can only act as an authenticator for MS-CHAP or MS-CHAP-V2 authentication.
L2TP supports only MS-CHAP authentication.
MS-CHAP-V2 authentication supports password change only when using RADIUS.
As a best practice, do not set the authentication method for PPP users to none when MS-CHAP-V2 authentication is used.
To configure MS-CHAP or MS-CHAP-V2 authentication when the authenticator name is configured:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Configure the authenticator to authenticate the peer by using MS-CHAP or MS-CHAP-V2. | ppp authentication-mode { ms-chap | ms-chap-v2 } [ [ call-in ] domain { isp-name | default enable isp-name } ] | By default, PPP authentication is disabled. |
4. Configure a username for the MS-CHAP or MS-CHAP-V2 authenticator. | ppp chap user username | The username for the authenticator must be the same on the local and peer devices. |
5. Configure local or remote AAA authentication. | For local AAA authentication, the username and password of the peer must be configured on the authenticator. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide. | The username and password of the peer configured on the authenticator or remote AAA server must be the same as those configured on the peer. |
To configure MS-CHAP or MS-CHAP-V2 authentication when no authenticator name is configured:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Configure the authenticator to authenticate the peer by using MS-CHAP or MS-CHAP-V2. | ppp authentication-mode { ms-chap | ms-chap-v2 } [ [ call-in ] domain { isp-name | default enable isp-name } ] | By default, PPP authentication is disabled. |
4. Configure local or remote AAA authentication. | For local AAA authentication, the username and password of the peer must be configured on the authenticator. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide. | The username and password of the peer configured on the authenticator or remote AAA server must be the same as those configured on the peer. |