Ppp authentication, Ppp for ipv4, Ip address negotiation – H3C Technologies H3C SecPath F5020 User Manual

2

If the interface is configured with an IP address, the IPCP negotiation is performed. IPCP

configuration options include IP addresses and DNS server IP addresses. After the IPCP
negotiation succeeds, the link can carry IP packets.

5.

After the NCP negotiation is performed, the PPP link remains active until explicit LCP or NCP
frames close the link, or until some external events take place (for example, the intervention of a

user).

For more information about PPP, see RFC 1661.

PPP authentication

PPP supports the following authentication methods:

•

PAP—PAP is a two-way handshake authentication protocol using the username and password.
PAP sends username/password pairs in plain text over the network. If authentication packets are
intercepted in transit, network security might be threatened. For this reason, it is suitable only for

low-security environments.

•

CHAP—CHAP is a three-way handshake authentication protocol.
CHAP transmits usernames but not passwords over the network. It transmits the result calculated

from the password and random packet ID by using the MD5 algorithm. Therefore, it is more secure
than PAP. The authenticator may or may not be configured with a username. H3C recommends

that you configure a username for the authenticator, which makes it easier for the peer to verify the

identity of the authenticator.

•

MS-CHAP—MS-CHAP is a three-way handshake authentication protocol.
MS-CHAP differs from CHAP as follows:

{

MS-CHAP uses CHAP Algorithm 0x80.

{

MS-CHAP provides authentication retry. If the peer fails authentication, it is allowed to
retransmit authentication information to the authenticator for reauthentication. The authenticator

allows a peer to retransmit three times at most.

•

MS-CHAP-V2—MS-CHAP-V2 is a three-way handshake authentication protocol.
MS-CHAP-V2 differs from CHAP as follows:

{

MS-CHAP-V2 uses CHAP Algorithm 0x81.

{

MS-CHAP-V2 provides two-way authentication by piggybacking a peer challenge on the
Response packet and an authenticator response on the Acknowledge packet.

{

MS-CHAP-V2 supports authentication retry. If the peer fails authentication, it is allowed to
retransmit authentication information to the authenticator for reauthentication. The authenticator
allows a peer to retransmit three times at most.

{

MS-CHAP-V2 supports password change. If the peer fails authentication because of an expired
password, it will send the new password entered by the user to the authenticator for

reauthentication.

PPP for IPv4

On IPv4 networks, PPP negotiates the IP address and DNS server address during IPCP negotiation.

IP address negotiation

IP address negotiation enables one end to assign an IP address to the other.