|
|
This section is used to set Compression, Link Quality, LCP and Authentication parameters.
configure PPP WAN slot:port
WAN slot:port | Ports are numbered starting with 0, so for a module with one port, the port is 0.
|
After entering the configure command for the section, enter one or more of the following keywords.
The Compression Control Protocol (CCP) is used to negotiate the method for compressing data before it is passed across a PPP link. Sequenced Predictor is proprietary to Cisco Systems devices. It requires a Cisco Systems device at the remote end.
Compress = {SeqPred | Stac | Off} |
|
To monitor the quality of a WAN link, echo packets are sent out at a specified interval and the responses are counted. The link will be dropped if the number of missed packets out of the total number of echo packets exceeds the specified parameters. The link can then be re-established with a (hopefully) better quality line. Echo packets will not affect the inactivity timer of a dialup connection.
EchoPackets = {On | Off} | The EchoPackets keyword sets the device to perform link quality testing for the current interface. When EchoPackets is On, echo packets will be regularly sent and the line quality will be monitored. |
EchoInterval = Number | The EchoInterval keyword sets the time, in seconds, between echo packets. EchoInterval also sets the amount of time in which an echo response must be received in order not to be counted as missed. The value must be in the range of 1 to 255 seconds. |
EchoDrop = Number | The EchoDrop keyword sets the number of echo reply packets that must be missed out of the last EchoThreshold echo packets sent for the link to be dropped. The value must be in the range of 1 to 32. |
EchoThreshold = Number | The EchoThreshold keyword defines the sample size of echo reply packets that the device examines for missed packets. The value must be in the range of 2 to 32. |
The Link Control Protocol (LCP) parameters are used to determine the options to be negotiated by PPP LCP. The default settings will work with the vast majority of PPP implementations.
ACCM = {On | Off} | The ACCM keyword is used to configure the Asynchronous Character Control Map (ACCM). Communications devices on WAN links sometimes (but not normally) use ASCII characters in the range 0x0-0x1F hex as control characters. Without an ACCM mechanism, data in the range 0x0-0x1F could be erroneously interpreted as control characters. If devices on the WAN link are known to use control characters, the bit corresponding to each used control character should be set in ACCMVal. ACCM is only used for asynchronous links. |
ACCMVal = Number | The ACCMVal keyword specifies a 32-bit hexadecimal number containing bits set for the ACCM corresponding to the control characters used. The least significant bit of the ACCM mask corresponds to ASCII character NULL (0). |
AddrCompress = {On | Off} | The AddrCompress keyword enables the compression of the 2-byte address and control field of the PPP packet header. |
ProtoCompress = {On | Off} | The ProtoCompress keyword enables the compression of the upper byte of the protocol field of the PPP packet header. |
Magic = {On | Off} | The Magic keyword causes PPP to detect a loopback connection by checking a magic value in the PPP header. |
The following keywords are used to configure the type of authentication to be used during the establishment of a PPP connection. CHAP (Challenge-Handshake Authentication Protocol) and PAP (Password Authentication Protocol) are supported.
Both CHAP and PAP require the exchange of packets between the PPP peers. A device can request authentication and/or respond to authentication requests. If both CHAP and PAP are configured as "request," the LCP negotiation will attempt to negotiate CHAP first. If CHAP is not accepted, the negotiation will then attempt PAP. If the device requests authentication and the remote peer doesn't accept, the LCP negotiation phase will not complete and the link will not come up. Devices that request PAP or CHAP must have an authentication database entry (see the Auth section) or RADIUS authentication enabled (see the Radius section) for the remote peer.
PAP uses a 2-way handshake for authentication. For example, assume Router1 requests PAP and Router2 will respond to PAP. After PPP LCP negotiation, Router2 will send an authentication request to Router1 containing its PAPName and PAPPassword (see below). Router1 uses either its internal database or RADIUS to validate the request and returns an authentication "success" or "failure" packet. The link will be dropped if the validation fails.
CHAP uses a 3-way handshake for authentication. A shared secret combined with the message-digest hash algorithm (MD5) is used for message passing. For example, assume Router1 requests CHAP and Router2 will respond to CHAP. After PPP LCP negotiation, Router1 will send a challenge containing a random number to Router2. Router2 feeds the random number and the shared secret to MD5 and sends the MD5 output, along with Router2's CHAPName, to Router1 as its response. When Router1 receives a response, the response is validated by first checking for Router2's CHAPName in the authentication database. If the name is found, the validation is done by checking the MD5 output from Router2. If it's not found, and RADIUS is enabled, the RADIUS server is used to validate the response. If the validation is good, Router1 sends a "success" packet to Router2. Otherwise, a "failure" packet is returned, and the link is dropped. Router1 will use the same method to re-authenticate Router2 every minute for as long as the link is up. These packets do not affect the inactivity timeout of an on-demand (dialup) link.
Whereas PAP sends both the name and password across the link, CHAP only sends the name and an encrypted response. Because the secret is never passed across the link, CHAP is considered a more secure method of authentication than PAP.
CHAPRequest = {On | Off} | The CHAPRequest keyword sets the device to request CHAP authentication from the remote peer. If CHAPRequest is On, the CHAPName for this device must be configured. In addition, there must be an entry in the internal authentication database for the remote peer, or RADIUS authentication must be configured. |
CHAPRespond = {On | Off} | The CHAPRespond keyword sets the device to accept CHAP authentication requests from the remote peer. If CHAPRespond is On, the CHAPName and CHAPSecret for this device must be configured, and the remote peer must have an entry for this device in its internal authentication database, or RADIUS authentication must be configured. |
CHAPName = String | The CHAPName keyword is used to identify the requesting or responding device. It can be up to 255 characters long. The remote peer typically uses this name to search a database of authentication entries to determine the required secret. |
CHAPSecret = String | The CHAPSecret keyword is used by CHAP for creating the encrypted authentication response. It is only required for devices which need to respond to CHAP challenges. The challenging peer must have an authentication database entry or RADIUS entry with the responding device's CHAPName and this secret value. It can be up to 255 characters long. |
PAPRequest = {On | Off} | The PAPRequest keyword is used to request PAP authentication from the remote peer. The requesting device must be configured with an entry in its internal authentication database for the remote peer, or it must be configured to use RADIUS authentication. |
PAPRespond = {On | Off} | The PAPRespond keyword sets the device to accept PAP authentication requests from the remote peer. The name and password expected by the remote peer must be specified. |
PAPName = String | The PAPName keyword is used to identify the sender of PAP authentication packets. It can be up to 255 characters long. The remote peer typically uses this name to search a database of authentication entries to determine the required password. |
PAPPassword = String | The PAPPassword keyword is used by PAP in conjunction with the name to uniquely identify the remote peer. The value may be up to 255 characters long. |
[ PPP WAN 0:0 ] Compress = Off CHAPRequest = TRUE CHAPName = "This is my name." AddrCompress = OFF EchoDrop = 8 EchoThreshold = 32
| Command | Description |
|---|---|
configure Radius | Configures the concentrator for communication with a RADIUS server for user authentication |
edit config Auth | Defines the PPP remote authentication database |
Posted: Wed Sep 27 10:47:11 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.