|
|
This chapter describes the commands to configure Point-to-Point Protocol (PPP) parameters, such as call negotiation and authentication.
You can use Point-to-Point Protocol (PPP) with Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) for security and authentication. CHAP and PAP, used with PPP encapsulation (the only encapsulation method used by the Cisco 700 series router), allow routers to authenticate incoming calls. The set ppp authentication command is used to choose the type of authentication, CHAP, PAP or none.
When a router receives the challenge response, it verifies the response by looking up the user name of the remote device in the list of profiles and verifying the passwords or secrets, which must be identical on the remote device and the local router. In the Cisco IOS-700 software, CHAP passwords are referred to as secrets because they are encrypted when they are stored; passwords are stored in plain text.
In the following example, router 2503 is allowed to call the local router using the password cisco7:
Host> cd 2503
Host:2305> set ppp authentication CHAP
Host:2305> set ppp secret cisco7
Host:2305> set ppp clientname 2503
The username allows a router to verify a username in a profile before the device can call in to the router. In the following example, username 2503 is allowed to call in to the router if it uses the password cisco7:
Host> cd 2503
Host:2305> set ppp authentication PAP
Host:2305> set remote access
Host:2305> set ppp password
Enter new Password: cisco7 Re-Type new Password: cisco7 Enter User Name: 2503
To force the dynamically negotiated IP address to be assigned to the user-defined profile, use the set ppp address negotiation local command.
SEt PPp Address NEgotiation LOcal ON | OFf
ON | Enable address negotiation. |
OFf | Disable address negotiation. |
Off
System or profile mode
The set ppp address negotiation local on command forces the IP address used for PPP Internet Protocol Control Protocol (IPCP) negotiation to be assigned to the Standard profile or a user-defined profile instead of the Internal profile.
By default, the router first attempts to assign the IPCP negotiated address to the Internal profile. If the Internal profile already has an IP address, the router places the address in a user-defined profile.
It is recommended that this feature be on when the network access server assigns the IP address; specifically, it should be enabled when the LAN profile or the Internal profile is already set up for IP routing.
The following example uses the IP address configured for a user-defined profile named ISP for PPP negotiation. The router first requests that the IP address configured in the ISP profile be assigned to the router. The address in the access server response is assigned to the ISP profile, not the permanent Internal profile.
765>cd ISP 765:ISP>set ppp address negotiation local on
When a call is made and IP address negotiation has occurred, the ISP assigns an IP address to the router. To verify the IP address, you can use the show ip config all command.
set dhcp server
set ip pat
set ip routing
show ip config
show negotiation
INcoming | Apply the authentication method to the incoming challenge. |
OUtgoing | Send a PPP challenge. |
CHap | Enable Challenge Handshake Authentication Protocol (CHAP). You must have a CHAP host password configured with the set ppp secret command and a user ID configured with the set system name command or the set ppp clientname command at the profile level. |
PAp | |
NOne | No authentication is performed. |
incoming chap pap
outgoing none
System or profile mode
Authentication depends on the direction of the challenge (as opposed to the direction of the call). The router attempts to authenticate an incoming challenge when the incoming parameter is set for this command. The router sends a challenge when the outgoing parameter is set for this command.
You can specify one, two, or all of the authentication options. They are negotiated in the following order: CHAP, PAP, none. If the none keyword is not specified and authentication fails, the call is terminated.
This command does not affect how the router responds to remote authentication requests. The router always responds to PAP or CHAP authentication requests.
A client password must be configured with the set ppp password or set ppp secret command to make the authentication response succeed (unless a null password is used by the peer).
The authentication sequence is not required for leased-line connections. To set up a leased-line configuration, authentication should be disabled and a user-defined profile named leasedline (the name is not case sensitive) must be created or another user-defined profile must be renamed. If the leasedline profile is not present upon call connect, the router requires authentication to select the correct profile. If the call cannot be authenticated, the call is dropped.
Within the leasedline profile, verify that PPP authentication is set to none (the default) by using the show security command. The switch types that support this feature are PERM64 and PERM128.
The set ppp authentication incoming command works in system mode only. The set ppp authentication outgoing command works in system mode and profile mode. Whatever is set in system mode becomes the default setting for each profile. The outgoing authentication method applies to outgoing WAN calls, and provides users with the option of 2-way authentication. In other words, when acting as a remote router dialing into an access server, not only is the router authenticated by the access server, it can authenticate the access server using the set ppp authentication outgoing command.
The following example sets the router to use incoming PAP authentication:
Host> set ppp authentication incoming pap
The following example disables PPP authentication for outgoing calls:
Host:leasedline> set ppp authentication outgoing none
set ppp clientname
set ppp secret
set systemname
To specify a preferred authentication protocol, use the set ppp authentication accept command.
SEt PPp AUthentication ACcept [CHap | PAp] | [EIther]
ACcept | The Cisco 700 series router is the device being authenticated. |
CHap | CHAP is the preferred authentication protocol. |
PAp | PAP is the preferred authentication protocol. |
EIther | Either CHAP or PAP can be used for authentication. |
Accept either
System or profile mode
Cisco access servers require a specific authentication protocol to communicate with each type of dial-in device. For example, analog modem dial-in devices are authenticated by using PAP, and ISDN routers are authenticated by using CHAP.
By default, the Cisco access server proposes PAP in its line-control protocol configuration request. The Cisco 700 series router rejects PAP and waits for the Cisco access server to propose CHAP. When CHAP is proposed, the router proceeds with the authentication phase.
Cisco 700 series router software Release 4.2(2) solves the problem of a PAP proposal rejection and includes the flexibility of a fall-back order. You can specify a preference for a particular protocol. However, if the access server requires a protocol other than the preferred protocol, the router accepts it.
This command cannot be used with the set ppp chaprefuse command because the parameter specifies that CHAP must be refused.
To set a preferred order of authentication for incoming calls, use the set ppp authentication accept command in system mode.
The following example accepts CHAP only:
Host> set ppp authentication accept chap
The following example accepts PAP only:
Host> set ppp authentication accept pap
The following example accepts either protocol, with a preference for CHAP:
Host> set ppp authentication accept chap either
The following example accepts either protocol, with a preference for PAP:
Host> set ppp authentication accept pap either
The following example accepts either protocol, with no preference:
Host> set ppp authentication accept either
set ppp authentication
show security
To enable Bandwidth Allocation Control Protocol (BACP), use the set ppp bacp command.
SEt PPp BAcp ON | OFf
ON | Enable BACP negotiation. |
OFf | Disable BACP negotiation. |
On
System or profile model
The set ppp bacp command defines a set of rules to control dynamic bandwidth allocation gracefully by managing the number of links in a multilink PPP bundle. Bandwidth Allocation Protocol (BAP) defines a set of request and response messages to manage the links. BACP consists of a network control program that negotiates once per multilink PPP bundle.
The router supports dynamic management of both B channels with the demand feature. The implementation of BACP and BAP allows the router to coordinate and negotiate the actual allocation and deallocation of the second channel.
Add a Link
After BACP has been negotiated, demand traffic triggers a BAP negotiation to bring up the second link of a bundle. Auto mode has to be enabled for the second link for the router to start BAP call or callback request negotiation; otherwise, it can only participate in BAP negotiation initiated by its peer.
The router endorses an incoming BAP call or callback request to add a link if the second B channel is available and the call for the second link is in the same direction as the call for the first link.
When requesting the addition of the second link, the router sends a BAP call or callback request to its peer, depending on the direction of the call for the first link.
For a callback request, the router also checks if the set PPP callback reply command is set to on.
Integration with the set auto Command
The set auto command on the second link turns demand dialing on, while the set ppp bacp command identifies if BACP/BAP is negotiated for a multilink PPP bundle.
The following are descriptions of the operation for the four combinations:
Drop a Link
A link drop is attempted locally when network traffic changes or a resource conflict (for example, call bumping) arises. This can be achieved with or without BAP negotiation. Timeout mode must be enabled for the second link for the router to start BAP link drop request negotiation.
You might want to release a B channel without excessive delay. The resource has to be freed to answer an incoming voice call. In this case, no BAP negotiation is done; PPP tries to tear down the link immediately.
If negotiation is selected and the peer does not respond to a BAP link-drop request before the response timer expires, BAP retries according to the PPP negotiations settings.
Integration with the set timeout Command
The set timeout command on the second link determines whether the BOD algorithm can tear down the second link based on traffic while the set ppp bacp command determines whether BACP/BAP is negotiated for a multilink PPP bundle.
The following are operation descriptions for the four combinations:
BACP is only implemented on BRI interfaces. Multilink PPP protocol has to be enabled for the BACP to be functional.
demand
set auto
set ppp callback
set ppp negotiation count
set ppp negotiation retry
set ringback
set timeout
show negotiation
To set the callback mode for point-to-point encapsulation, use the set ppp callback command. This command ensures a level of callback security.
SEt PPP CAllback REquest | REply ON | OFf | ALways
REquest | Request a callback when the router places a call. |
REply | Agree to a callback when requested to do so by a remote router. |
ON | Enable callback. |
OFf | Disable callback. |
ALways | Force callback at all times. |
Off- (disabled)
Profile mode
When the calling unit's request is set to on, the calling unit initiates a callback request. If the callback request is acknowledged by the called unit, the call stays connected until one of the following occurs:
The following example sets the profile to reply always:
Host> set ppp callback reply always
set number
set ppp bacp
set ringback
set security
show security
To receive CHAP challenges from hosts with different host names, use the set ppp chapallow multihost command.
SEt PPp CHAPAllow MUltihost ON | Off
ON | Receives CHAP challenges with different host names. |
Off | Rejects CHAP challenges with different host names. |
Off
System mode
This command should not be set to ON unless the CHAP challenges received by the router contain different host names and you do not consider this to be a security risk.
The following command sets the router to accept and respond to CHAP challenges from multiple hosts:
host> set ppp chapallow multihost on
show security
set ppp chaprefuse
ALl | Refuse to authenticate CHAP. |
|---|---|
NOne | Clear the current filter. |
INcall | Refuse to authenticate incoming CHAP challenges. |
REsponsefirst | Ignore the challenge if the remote device has not sent a valid response to a previous challenge sent by the Cisco 700 series router. |
SAmehost | Ignore the challenge if the hostname field matches the hostname field of the Cisco 700 series router. |
DIrectionwrong | Ignore the challenge if the caller indicates that the call was originated by the Cisco 700 series router. |
None
System mode
To avoid a race condition when using two Cisco 700 series routers to authenticate CHAP, set the responsefirst filter on only one router.
The following example sets a filter for common security protection:
Host> set ppp chaprefuse responsefirst samehost directionwrong
set password
set ppp authentication
set ppp authentication accept
show security
To set different usernames and passwords within the profiles, use the set ppp clientname command.
SEt PPp CLientname clientname
clientname | Identification for the profile. |
No PPP client name
System or profile mode
Remote users might have multiple service providers. The set ppp clientname command allows profiles to have different usernames. If the client name is not set in profile mode or system mode, a profile uses the system name configured with the set systemname command when dialing out. Each profile can also have its own password or secret set by using the set ppp password or the set ppp secret command.
Setting the PPP client name, PAP password, and CHAP secret in system mode establishes the default values for the profile mode. These values are used if no other values are specified at the profile level.
set password
set ppp authentication
set ppp authentication accept
show security
show users
To enable and disable the checking of the magic numbers received in the link control protocol echo request and echo reply packets against the magic number negotiated with the peer router, use the set ppp magicnumbercheck command.
SEt PPp MAgicnumbercheck ON | OFf
ON | Checks the magic numbers. |
OFf | Does not check the magic numbers. |
On
System mode
The show security command reflects the status of the magic number. For example, when enabled, the show security command displays the following:
scr6> sh sec System Parameters Security Access StatusON System PasswordNONE Remote ConfigurationPROTECTED Local ConfigurationON Logout Timeout5 Caller ID SecurityOFF Caller Id Numbers PPP Security PPP AuthenticationINCHAPPAP CHAP REFUSENONE CHAP ALLOW MULTIHOSTOFF MAGIC NUMBER CHECK ON Profile Parameters PPP Security PPP AuthenticationOUTNONE PPP AuthenticationACCEPTEITHER Token Authentication Support TAS Client0.0.0.0 Use Local CHAP SecretON Client User Nameloc1 PAP PasswordNONE CHAP SecretNONE Host PAP PasswordNONE CHAP SecretNONE Callback RequestOFF ReplyOFF
show security
To configure the way that PPP links are aggregated, use the set ppp multilink command.
SEt PPP MUltilink ON | OFf [PPPHeader ON | OFf]
ON | Enable the router to negotiate the multilink PPP protocol. (This protocol allows data to be sent over multiple channels.) |
OFf | Disable the router from requesting multilink PPP negotiation. If the remote router requests multilink PPP, the router accepts it, regardless of this setting. |
PPPHeader | Uses the PPP header when only one link is up when set to on. Always uses the multilink header when set to off (default). |
Multilink On (enabled)
Multilink Header Off (disabled)
System mode
A PPP (Point-to-Point Protocol) header option has been added to software Release 4.2(3.5). In previous software versions, when multilink is enabled and only one link is available, all data packets are sent with multilink headers. This unnecessarily increases network overhead when a PPP header would be acceptable. The PPPHeader option of the set ppp multilink command specifies that when only one link is up, the data packets can be sent with a PPP header.
The following example configures the router so it does not initiate negotiation of multilink PPP:
Host> set ppp multilink off
attempts | Number of times the router attempts to get a successful negotiation. Must be a number between 1 and 100. |
10 attempts for PPP
System mode
The following example configures the router to attempt negotiation 20 times:
Host> set ppp negotiation count 20
demand
set auto
set ppp bacp
set ppp callback
set ppp negotiation retry
set ringback
set timeout
show negotiation
seconds | Time in seconds between line-integrity packets. Must be a number between 1 and 60. |
OFf | Disable line-integrity packets. |
10 seconds
System mode
If the router does not receive a line-integrity packet for three consecutive periods, the ISDN line disconnects.
The following example sets the interval between line-integrity packets to 5 seconds.
Host> set ppp negotiation integrity 5
demand
set auto
set ppp bacp
set ppp callback
set ppp negotiation count
set ppp negotiation retry
set ringback
set timeout
show negotiation
milliseconds | Amount of time (in milliseconds) between negotiation attempts. Must be a number between 200 and 6000. |
3000 milliseconds for PPP
System mode
The following example configures the router to attempt negotiation every 5 seconds:
Host> set ppp negotiation retry 5000
demand
set auto
set ppp bacp
set ppp callback
set ppp negotiation count
set ppp negotiation integrity
set ringback
set timeout
show negotiation
To configure the netmask in a profile as the netmask for the WAN connection, use the set ppp ip netmask local command.
SEt PPP IP NEtmask LOcal ON | OFf
ON | Uses the netmask configured in profile mode for the WAN connection using that profile. |
OFf | Uses the default netmask. |
None
Profile mode
Before software Release 4.2(2), the router used the default netmask associated with the negotiated IP address. Although you could specify a netmask, it would be ignored, and the default netmask for the negotiated IP address would be used. With software Release 4.2(2) you can specify that the netmask configured in the user profile should be used instead of the default netmask for the negotiated IP address.
The following example sets the netmask to the negotiated value:
Host> set ppp ip netmask local off
set ip address
set ip netmask
To configure the passwords used during PAP and CHAP PPP authentication, use the set ppp password command.
SEt PPP PAssword | SEcret HOst | CLient [ENcrypted] [<password>]
PAssword | Use the password for PAP authentication. |
SEcret | Use the password for CHAP authentication. |
HOst | Use profile configurations to authenticate a remote router. The remote device client password must match the Cisco 700 series router host password. |
CLient | Use local configurations to authenticate the Cisco 700 series router. The router client password must match the remote device host password. |
ENcrypted | Used by the computer when loading a saved configuration text file (UPL output) into the router. |
password | The password used for authentication. If the password is absent from the command statement, you are prompted for the entry. |
No passwords
System or profile mode
Profiles that do not have passwords configured explicitly use the password configured in system mode.
The encrypted parameter is used by the computer when loading a saved configuration into the router.
When this command is loaded back into the original router (or another router), the router knows the password is already encrypted by examining the encrypted parameter.
The following example configures the router with a PAP client password by prompting you for the password and verification of the password:
Host> set ppp password client Enter new Password: <new password> Re-Type new Password: <new password>
The following example deletes the CHAP client password by leaving the password field and verification field blank:
Host> set ppp secret client Enter new Password: Re-Type new Password:
set password
set ppp authentication
set ppp authentication accept
show security
To change the user mode, use the set ppp tas command. (TAS is the acronym for Token Authentication Support.)
SEt PPP TAS CEntral | DIstributed | OFf
CEntral | Turn on single-user mode and send a user-information request to the designated Token Authentication Client. |
|---|---|
DIstributed | Turn on single-user mode, but send a user-information request to the source of the interesting packet if the interesting packet is an IP packet. |
OFf | Turn off single-user mode. |
Off
Profile mode
When the router sends a request to an Authentication Authority Account (AAA) client and receives a reply, it tries to make an ISDN connection. However, there is no guarantee that a B channel will be available for this connection. Other profiles or plain old telephone service (POTS) ports might occupy both B channels. If a B channel is not available, the router sends a failure message back to the AAA client.
The following example turns on single-user mode and sends a user-information request to the designated Token Authentication Client:
Host> set ppp tas central
set ppp tas
show security
To set the Token Authentication Client to use CHAP from the Cisco Secure Authentication Agent for CHAP to be configured locally, use the set ppp tas chapsecret local command.
SEt PPP TAS CHapsecret LOcal ON | OFf
ON | Turn on the local configuration. |
OFf | Turn off the local configuration. |
None
Profile mode
When the router is authenticated with CHAP, this setting determines if Token Authentication Client can overwrite the chapsecret parameter by providing a CHAP secret in its reply to the router.
The following example turns local Token Authentication Client CHAP secret on:
Host> set ppp tas chapsecret local on
set ppp tas
show security
To identify the Token Authorization Client (also known as Cisco Secure Authentication Agent client) to which the router sends the user information request, use the set ppp tas client command.
SEt PPP TAS CLient ipaddress
ipaddress | TAS client IP address. |
None
System or profile mode
In system mode, this command configures the default Token Authorization Client for every profile. In profile mode, it overwrites the system-level setting. Unless TAS is set to off, a profile is required to set the Token Authorization Client.
The following example sets the TAS client to 10.10.10.3:
Host> set ppp tas client 10.10.10.3
set ppp tas
set ppp tas chapsecret
show security
To configure the number of times the router sends a terminate request packet without receiving an answer or disconnecting the ISDN line, use the set ppp termreq count command.
SEt PPP TErmreq COunt attempt
attempt | Number of times the router sends a terminate request packet without receiving an answer or disconnecting the ISDN line. Must be between 1 and 100. |
Two tries
System mode
The following example sends terminate request packets five times before disconnecting the ISDN line:
Host> set ppp termreq count 5
To display all negotiation parameters, use the show negotiation command.
SHow NEgotiation [ALl]
ALl | Display system and profile negotiation parameters. |
System or profile mode
In profile mode, this command displays only parameters that can be configured by the profile. Values redefined from the template value are indicated with an asterisk.
In system mode, this command displays all system parameters. This command displays both system and profile parameters when the all parameter is included in the statement.
The following example shows output from the show negotiation command:
Host> show negotiation SystemParameters CPPNegotiationParameters IntegrityInterval10 NegotiationAbortDISCONNECT RetryCount6 RetryInterval1000 TerminateCount2 MultilinkON
Profile Parameters
CompressionSTAC BACPON AddressNegotiationLocalOFF
NegotiatedParameters Connection1Virtual Connection2Virtual Connection3Virtual Connection4Virtual
Posted: Thu Jul 8 12:49:23 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.