Configuring PPP authentication

You can configure several authentication modes simultaneously. In LCP negotiation, the authenticator negotiates with the peer in the sequence of configured authentication modes until the LCP negotiation succeeds. If the response packet from the peer carries a recommended authentication mode, the authenticator directly uses the authentication mode if it finds the mode configured.

Configuring PAP authentication

To configure the authenticator:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter interface view.

interface interface-type interface-number

N/A

3. Configure the authenticator to authenticate the peer by using PAP.

ppp authentication-mode pap [ [ call-in ] domain isp-name ]

By default, PPP authentication is disabled.

4. Configure local or remote AAA authentication.

For local AAA authentication, the username and password of the peer must be configured on the authenticator.

For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server.

For more information about AAA authentication, see Security Configuration Guide.

The username and password configured for the peer must be the same as those configured on the peer.

To configure the peer:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter interface view.

interface interface-type interface-number

N/A

3. Configure the PAP username and password sent from the peer to the authenticator when the peer is authenticated by the authenticator by using PAP.

ppp pap local-user username password { cipher | simple } string

By default, when being authenticated by the authenticator by using PAP, the peer sends null username and password to the authenticator.

For security purposes, the password specified in plaintext form and ciphertext form will be stored in encrypted form.

Configuring CHAP authentication

Depending on whether the authenticator is configured with a username, the configuration of CHAP authentication includes the following types:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter interface view.

interface interface-type interface-number

N/A

3. Configure the authenticator to authenticate the peer by using CHAP.

ppp authentication-mode chap [ [ call-in ] domain isp-name ]

By default, PPP authentication is disabled.

4. Configure a username for the CHAP authenticator.

ppp chap user username

The default setting is null.

The username you configure for the authenticator must be the same as the local username you configure for the authenticator on the peer.

5. Configure local or remote AAA authentication.

For local AAA authentication, the username and password of the peer must be configured on the authenticator.

For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server.

For more information about AAA authentication, see Security Configuration Guide.

The username configured for the peer must be the same as that configured on the peer.

The passwords configured for the authenticator and peer must be the same.

To configure the peer:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter interface view.

interface interface-type interface-number

N/A

3. Configure a username for the CHAP peer.

ppp chap user username

The default setting is null.

The username you configure for the peer here must be the same as the local username you configure for the peer on the authenticator.

4. Configure local or remote AAA authentication.

For local AAA authentication, the username and password of the authenticator must be configured on the peer.

For remote AAA authentication, the username and password of the authenticator must be configured on the remote AAA server.

For more information about AAA authentication, see Security Configuration Guide.

The username configured for the authenticator must be the same as that configured on the authenticator.

The passwords configured for the authenticator and peer must be the same.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter interface view.

interface interface-type interface-number

N/A

3. Configure the authenticator to authenticate the peer by using CHAP.

ppp authentication-mode chap [ [ call-in ] domain isp-name ]

By default, PPP authentication is disabled.

4. Configure local or remote AAA authentication.

For local AAA authentication, the username and password of the peer must be configured on the authenticator.

For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server.

For more information about AAA authentication, see Security Configuration Guide.

The username configured for the peer must be the same as that configured on the peer.

The passwords configured for the authenticator and peer must be the same.

To configure the peer:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter interface view.

interface interface-type interface-number

N/A

3. Configure a username for the CHAP peer.

ppp chap user username

The default setting is null.

The username you configure on the peer must be the same as the local username you configure for the peer on the authenticator.

4. Set the CHAP authentication password.

ppp chap password { cipher | simple } string

The default setting is null.

The password you set on the peer must be the same as the password you set for the peer on the authenticator.

For security purposes, the password specified in plaintext form and ciphertext form will be stored in encrypted form.

Configuring MS-CHAP or MS-CHAP-V2 authentication

When you configure MS-CHAP or MS-CHAP-V2 authentication, follow these guidelines:

To configure MS-CHAP or MS-CHAP-V2 authentication when the authenticator name is configured:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter interface view.

interface interface-type interface-number

N/A

3. Configure the authenticator to authenticate the peer by using MS-CHAP or MS-CHAP-V2.

ppp authentication-mode { ms-chap | ms-chap-v2 } [ [ call-in ] domain isp-name ]

By default, PPP authentication is disabled.

4. Configure a username for the MS-CHAP or MS-CHAP-V2 authenticator.

ppp chap user username

The username for the authenticator must be the same on the local and peer devices.

5. Configure local or remote AAA authentication.

For local AAA authentication, the username and password of the peer must be configured on the authenticator.

For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server.

For more information about AAA authentication, see Security Configuration Guide.

The username and password of the peer configured on the authenticator or remote AAA server must be the same as those configured on the peer.

To configure MS-CHAP or MS-CHAP-V2 authentication when no authenticator name is configured:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter interface view.

interface interface-type interface-number

N/A

3. Configure the authenticator to authenticate the peer by using MS-CHAP or MS-CHAP-V2.

ppp authentication-mode { ms-chap | ms-chap-v2 } [ [ call-in ] domain isp-name ]

By default, PPP authentication is disabled.

4. Configure local or remote AAA authentication.

For local AAA authentication, the username and password of the peer must be configured on the authenticator.

For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server.

For more information about AAA authentication, see Security Configuration Guide.

The username and password of the peer configured on the authenticator or remote AAA server must be the same as those configured on the peer.