Configuring the Point-to-Point Protocol (PPP)

Outgoing authentication options

The following options define how a bundle will use CHAP and PAP authentication on an outgoing connection.

NOTE: The authentication characteristics of incoming connections are set in the global bundle. The values in the global bundle are applied to all incoming connections because PPP must authenticate a caller before it can associate them with a bundle.

Authenticate remote using CHAP

Whether the local host authenticates the remote host using CHAP.

Authenticate remote using PAP

Whether the local host authenticates the remote host using PAP.

Override name for transmitted CHAP/PAP packets

Specify a name to be used instead of the local host name in outgoing CHAP or PAP packets.

It may be necessary to use this attribute in the following cases:

Case Description

Remote host uses CHAP to authenticate the local host. The specified name overrides the local host name in the outgoing response to a received challenge. This allows you to supply a name other than the local host name for the remote host to look up in its authentication database (unless it chooses to override it with a different name).
For example, a service provider may require that you specify your remote user name in CHAP response packets. In such a case, you should normally set the override name for both transmitted and received packets to be the same as your user name at the remote site.

Local host uses CHAP to authenticate the remote host. The specified name overrides the local host name in the outgoing challenge and in the outgoing acknowledgment of success or failure.
For example, this allows you to define a different name for the remote host to look up in their authentication database.

Remote host uses PAP to authenticate the local host. The specified name overrides the local host name in the outgoing authentication request. This allows you to supply a name other than the local host name which the remote host will use to look up a password in its authentication database (unless it chooses to override the supplied name with a different name).
For example, a service provider may require that you specify your remote user name in PAP request packets. In such a case, you should normally set the override name for the transmitted packet to be the same as the specified user name at the remote site.
The authentication database entry for the defined name must contain a PAP remote secret (password).

Override name for received CHAP/PAP packets

Case	Description
Remote host uses CHAP to authenticate the local host.	The specified name overrides the local host name in the outgoing response to a received challenge. This allows you to supply a name other than the local host name for the remote host to look up in its authentication database (unless it chooses to override it with a different name). For example, a service provider may require that you specify your remote user name in CHAP response packets. In such a case, you should normally set the override name for both transmitted and received packets to be the same as your user name at the remote site.
Local host uses CHAP to authenticate the remote host.	The specified name overrides the local host name in the outgoing challenge and in the outgoing acknowledgment of success or failure. For example, this allows you to define a different name for the remote host to look up in their authentication database.
Remote host uses PAP to authenticate the local host.	The specified name overrides the local host name in the outgoing authentication request. This allows you to supply a name other than the local host name which the remote host will use to look up a password in its authentication database (unless it chooses to override the supplied name with a different name). For example, a service provider may require that you specify your remote user name in PAP request packets. In such a case, you should normally set the override name for the transmitted packet to be the same as the specified user name at the remote site. The authentication database entry for the defined name must contain a PAP remote secret (password).

Specify a name that will be used to look up a CHAP secret or a PAP password in the authentication database. This can be used to override the name that the peer sent in an incoming CHAP or PAP packet. It can also be used to look up a PAP password to supply to a remote authenticator instead of looking up a password for the local host name (this is overridden by the name specified for transmitted packets in the bundle).

It may be necessary to use this attribute in the following cases:

Case Description

Remote host uses CHAP to authenticate the local host. PPP looks up a secret corresponding to the name so that it can calculate a response value and send it to the remote host. Normally, PPP would look for a secret corresponding to the name supplied by the remote host in the incoming challenge.
For example, a service provider may have several remote access servers which use different names to challenge your system. Overriding the name of the server allows you to use a single name-secret pair for outgoing connections to the remote site. In such a case, you should normally set the override name for both transmitted and received packets to be the same as your user name at the remote site.
The authentication database entry for the defined name must contain a CHAP remote secret. PPP uses the secret and the value that it received in the challenge packet to calculate the value in the response packet that it sends to the remote authenticator.

Local host uses CHAP to authenticate the remote host. PPP looks up a secret corresponding to the name so that it can check the validity of a response value that it has received. Normally, PPP would look for a secret corresponding to the name supplied by the remote host in the incoming response. For example, this allows you to configure a single name-secret pair for authenticating several remote systems or users.
The authentication database entry for the defined name must contain a CHAP local secret. PPP uses the secret and the value that it sent in its challenge to calculate a value that it can compare with the response value that it has received from the peer. If the calculated value and the response value are the same, the remote host is authentic.

Remote host uses PAP to authenticate the local host. PPP looks up a secret (password) corresponding to the specified name and sends this in an authentication request to the remote host. Normally, the name that is transmitted in the request (the local host name which may also be overridden) would be used to look up the secret.
The authentication database entry for the defined name must contain a PAP remote secret (password).

Local host uses PAP to authenticate the remote host. PPP uses the specified name to look up a password to check against the one it has received in an authentication request. Normally, PPP would look up a password for the name supplied by the remote host in the incoming authentication request. For example, this allows you to configure a single name-password pair for authenticating several remote systems or users.
The authentication database entry for the defined name must contain a PAP local secret (password).

Time allowed for authentication phase

Case	Description
Remote host uses CHAP to authenticate the local host.	PPP looks up a secret corresponding to the name so that it can calculate a response value and send it to the remote host. Normally, PPP would look for a secret corresponding to the name supplied by the remote host in the incoming challenge. For example, a service provider may have several remote access servers which use different names to challenge your system. Overriding the name of the server allows you to use a single name-secret pair for outgoing connections to the remote site. In such a case, you should normally set the override name for both transmitted and received packets to be the same as your user name at the remote site. The authentication database entry for the defined name must contain a CHAP remote secret. PPP uses the secret and the value that it received in the challenge packet to calculate the value in the response packet that it sends to the remote authenticator.
Local host uses CHAP to authenticate the remote host.	PPP looks up a secret corresponding to the name so that it can check the validity of a response value that it has received. Normally, PPP would look for a secret corresponding to the name supplied by the remote host in the incoming response. For example, this allows you to configure a single name-secret pair for authenticating several remote systems or users. The authentication database entry for the defined name must contain a CHAP local secret. PPP uses the secret and the value that it sent in its challenge to calculate a value that it can compare with the response value that it has received from the peer. If the calculated value and the response value are the same, the remote host is authentic.
Remote host uses PAP to authenticate the local host.	PPP looks up a secret (password) corresponding to the specified name and sends this in an authentication request to the remote host. Normally, the name that is transmitted in the request (the local host name which may also be overridden) would be used to look up the secret. The authentication database entry for the defined name must contain a PAP remote secret (password).
Local host uses PAP to authenticate the remote host.	PPP uses the specified name to look up a password to check against the one it has received in an authentication request. Normally, PPP would look up a password for the name supplied by the remote host in the incoming authentication request. For example, this allows you to configure a single name-password pair for authenticating several remote systems or users. The authentication database entry for the defined name must contain a PAP local secret (password).

The time in seconds allowed for authentication to be performed.