Cabletron Systems CSX1000 User Manual
Page 148

USER’S GUIDE
148 CyberSWITCH
Note:
If a system is brought on line with a device that has a required Calling Line Id that is a 
duplicate of another device’s Calling Line Id, and no other type of authentication is used, 
a warning message is logged at initialization. Every attempt to connect the device 
thereafter will result in an error message being logged and the call being rejected.
PAP P
ASSWORD
S
ECURITY
PAP Security provides a method for the Device to identify itself to the system using a 2-way 
handshake. If PAP Password Security is enabled, and a PAP Password has been configured for the 
Device, the following holds true:
•
After the initial connection is made, the Device Name and Password are repeatedly sent by the 
remote device to the system. The system will look up the received Device Name in the Device 
List.
•
If the Device Name is not found, the call is disconnected.
•
If the Device Name is found the system will validate the password.
•
If the password does not match, the call will be disconnected.
•
If PAP Password Security is enabled, and a PAP Password has not been configured for the De-
vice, Password validation is not performed.
CHAP C
HALLENGE
S
ECURITY
An authentication phase between the remote device and the system begins with sending a CHAP 
challenge request to the remote device. The CHAP request contains a string of bytes known as the 
challenge value, which is changed on each challenge. Using the hash algorithm associated with 
CHAP, the remote device transforms the challenge value plus its secret into a response value. The 
remote device sends this output of the hash function, along with its symbolic name, to the system 
in a CHAP response.
Within the Device Table entry for each remote device which will be authenticated via CHAP, the 
system maintains the remote device’s secret. The name in the remote device’s CHAP response is 
used to locate the Device Table entry, and consequently the secret used by the remote device. Using 
the same hash function, the system computes the expected response value for the challenge with 
that secret. If this matches the response value sent by the remote device, a successful authentication 
has occurred. The system can optionally be configured to repeat the CHAP challenge process 
periodically throughout the life of the connection. An invalid response to a CHAP challenge at any 
time is deemed a security violation, which causes a switched link to be released.
PAP
Authentication
CHAP
Authentication
Bridge MAC
Address
Authentication
Calling Line Id
Authentication
Yes
No
No
Optional
Duplicates allowed for
these Devices.
No
Yes
No
Optional
Duplicates allowed for
these Devices.
No
No
Yes
Optional
Duplicates allowed for
these Devices.
No
No
No
Required
Duplicates not allowed.
