Configuring PPP authentication
You can configure several authentication modes simultaneously. In LCP negotiation, the authenticator negotiates with the supplicant in the sequence of configured authentication modes until the LCP negotiation succeeds. If the response packet from the supplicant carries a recommended authentication mode, the authenticator directly uses the authentication mode if it finds the mode configured.
Configuring PAP authentication
Configuring the authenticator
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Configure the local device to authenticate the supplicant by using PAP. | ppp authentication-mode pap [ [ call-in ] domain isp-name ] | By default, PPP authentication is disabled. |
4. Configure local or remote AAA authentication. | For local AAA authentication, the username and password of the supplicant must be configured on the authenticator. For remote AAA authentication, the username and password of the supplicant must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide. | The username and password configured for the supplicant must be the same as those configured on the supplicant. |
Configuring the supplicant
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Configure the PAP username and password sent from the local device to the authenticator when the local device is authenticated by the authenticator by using PAP. | ppp pap local-user username password { cipher | simple } password | By default, when being authenticated by the authenticator by using PAP, the local device sends null username and password to the authenticator. |
Configuring CHAP authentication
According to whether the authenticator is configured with a username or not, the configuration of CHAP authentication includes the following two types:
Configuring CHAP authentication when the authenticator name is configured
To configure the authenticator:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Configure the local device to authenticate the supplicant by using CHAP. | ppp authentication-mode chap [ [ call-in ] domain isp-name ] | By default, PPP authentication is disabled. |
4. Assign a username to the CHAP authenticator. | ppp chap user username | The username you assign to the authenticator must be the same as the local username you assign to the authenticator on the supplicant. |
5. Configure local or remote AAA authentication. | For local AAA authentication, the username and password of the supplicant must be configured on the authenticator. For remote AAA authentication, the username and password of the supplicant must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide. | The username configured for the supplicant must be the same as that configured on the supplicant. The passwords configured for the authenticator and supplicant must be the same. |
To configure the supplicant:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Assign a username to the CHAP supplicant. | ppp chap user username | The username you assign to the supplicant here must be the same as the local username you assign to the supplicant on the authenticator. |
4. Configure local or remote AAA authentication. | For local AAA authentication, the username and password of the supplicant must be configured on the authenticator. For remote AAA authentication, the username and password of the supplicant must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide. | The username configured for the supplicant must be the same as that configured on the supplicant. The passwords configured for the authenticator and supplicant must be the same. |
Configuring CHAP authentication when no authenticator name is configured
To configure the authenticator:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Configure the local device to authenticate the supplicant by using CHAP. | ppp authentication-mode chap [ [ call-in ] domain isp-name ] | By default, PPP authentication is disabled. |
4. Configure local or remote AAA authentication. | For local AAA authentication, the username and password of the supplicant must be configured on the authenticator. For remote AAA authentication, the username and password of the supplicant must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide. | The username configured for the supplicant must be the same as that configured on the supplicant. The passwords configured for the authenticator and supplicant must be the same. |
To configure the supplicant:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Assign a username to the CHAP supplicant. | ppp chap user username | The username you assign to the supplicant must be the same as the local username you assign to the supplicant on the authenticator. |
4. Set the CHAP authentication password. | ppp chap password { cipher | simple } password | The password you set for the supplicant must be the same as the password you set for the supplicant on the authenticator. |
Configuring MS-CHAP or MS-CHAP-V2 authentication
When you configure MS-CHAP or MS-CHAP-V2 authentication, follow these guidelines:
In MS-CHAP or MS-CHAP-V2 authentication, an HPE device can only be an authenticator
L2TP supports the MS-CHAP authentication but does not support the MS-CHAP-V2 authentication.
MS-CHAP-V2 authentication supports password changing only when using RADIUS.
Depending on whether the authenticator is configured with a username, the configuration of MS-CHAP or MS-CHAP-V2 authentication includes the following two types:
Configuring MS-CHAP or MS-CHAP-V2 authentication when the authenticator name is configured
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Configure the local router to authenticate the supplicant by using MS-CHAP or MS-CHAP-V2. | ppp authentication-mode { ms-chap | ms-chap-v2 } [ [ call-in ] domain isp-name ] | By default, PPP authentication is not performed. |
4. Assign a username to the MS-CHAP or MS-CHAP-V2 authenticator. | ppp chap user username | The username you assign to the authenticator here must be the same as the local username you assign to the authenticator on the supplicant. |
5. Configure local or remote AAA authentication. | For local AAA authentication, the username and password of the supplicant must be configured on the authenticator. For remote AAA authentication, the username and password of the supplicant must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide. | The username and password configured for the supplicant must be the same as those configured on the supplicant. |
Configuring MS-CHAP or MS-CHAP-V2 authentication when no authenticator name is configured
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Configure the local device to authenticate the supplicant by using MS-CHAP or MS-CHAP-V2. | ppp authentication-mode { ms-chap | ms-chap-v2 } [ [ call-in ] domain isp-name ] | By default, PPP authentication is disabled. |
4. Configure local or remote AAA authentication. | For local AAA, the username and password of the supplicant must be configured on the authenticator. For remote AAA authentication, the username and password of the supplicant must be configured on the remote AAA server. For more information about AAA authentication, see Security Configuration Guide. | The username and password configured for the supplicant must be the same as those configured on the supplicant. |