Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
33.  Setting Up PPP Authentication (Tasks) Configuring PAP Authentication How to Add PAP Support to the PPP Configuration Files (Dial-in Server)  Previous   Contents   Next 
   
 

Where to Go From Here

Task

For Instructions

Configure PAP authentication credentials for trusted callers of the dial-in server

"Configuring PAP Authentication for Trusted Callers (Dial-out Machines)"

Configuring PAP Authentication for Trusted Callers (Dial-out Machines)

This section contains tasks for setting up PAP authentication on the dial-out machines of trusted callers. As system administrator, you can set up PAP authentication on the machines before distributing them to the prospective callers. Or, if the remote callers already have their machines, you can give them the tasks in this section.

Configuring PAP for trusted callers involves two tasks:

  • Configuring the callers' PAP security credentials

  • Configuring the callers' dial-out machines to support PAP authentication

How to Configure PAP Authentication Credentials for the Trusted Callers

This procedure shows how to set up PAP credentials for two trusted callers, one of which requires authentication credentials from remote peers. The steps in the procedure assume that you, the system administrator, are creating the PAP credentials on the trusted callers' dial-out machines.

  1. Become superuser on a dial-out machine.

    Using the sample PAP configuration that was introduced in Figure 30-3, assume that the dial-out machine belongs to user1.

  2. Modify the pap-secrets database for the caller.

    Solaris PPP 4.0 provides an /etc/ppp/pap-secrets file that contains helpful comments but no options. You can add the following options to this /etc/ppp/pap-secrets file.
    # user1    myserver  pass1    *

    Note that user1's password pass1 is passed in readable ASCII form over the link. myserver is caller user1's name for the peer.

  3. Become superuser on another dial-out machine.

    Using the PAP authentication example, assume that this dial-out machine belongs to the caller user2.

  4. Modify the pap-secrets database for the caller.

    You can add the next options to the end of the existing /etc/ppp/pap-secrets file.
    # user2     myserver   pass2       *
myserver  user2      serverpass  *

    In this example, /etc/ppp/pap-secrets has two entries. The first entry contains the PAP security credentials that user2 passes to dial-in server myserver for authentication.

    user2 requires PAP credentials from the dial-in server as part of link negotiation. Therefore, the /etc/ppp/pap-secrets also contains PAP credentials that are expected from myserver on the second line.

    Note - Most ISPs do not supply authentication credentials, so the scenario just discussed is not realistic for them.

Where to Go From Here

Task

Instructions

Create PAP credentials for additional callers

"How to Create a PAP Credentials Database (Dial-in Server)"

Configure a dial-out machine to support PAP authentication

"How to Configure PAP Authentication Credentials for the Trusted Callers"

Modifying PPP Configuration Files for PAP (Dial-out Machine)

The tasks in this section explain how to update existing PPP configuration files to support PAP authentication on the dial-out machines of trusted callers.

The procedure uses the following parameters to configure PAP authentication on the dial-out machine that belongs to user2, who was introduced in Figure 30-3. user2 requires incoming callers to authenticate, including calls from dial-in myserver.

How to Add PAP Support to the PPP Configuration Files (Dial-out Machine)

This procedure uses the PPP configuration files that were introduced in "How to Define Communications Over the Serial Line" as examples. The procedure configures the dial-out machine that belongs to user2, as shown in Figure 30-3.

  1. Log in to the dial-out machine as superuser.

  2. Modify the /etc/ppp/options file.

    The next /etc/ppp/options file contains options for PAP support, which are shown in bold.

    #vi /etc/ppp/options
lock
nodefaultroute
name user2
auth
require-pap

    name user2

    Sets user2 as the PAP name of the user on the local machine. If the login option is used, the PAP name must be the same as the user's UNIX user name in the password database.

    auth

    States that the dial-out machine must authenticate callers before establishing the link.

    require-pap

    Requires peers to provide PAP credentials when returning the call from the dial-out machine.

  3. Create an /etc/ppp/peers/peer-name file for the remote machine myserver.

    The next sample shows how to add PAP support to the existing /etc/ppp/peers/myserver file that was created in "How to Define the Connection With an Individual Peer".

    # cd /etc/ppp
# mkdir peers
# cd peers
# vi myserver
/dev/cua/a
57600
noipdefault
defaultroute
idle 120
user user2
remotename myserver
connect "chat -U 'mypassword' -f /etc/ppp/mychat"

    The new options in bold add PAP requirements for peer myserver.

    user user2

    Defines user2 as the user name of the local machine

    remotename myserver

    Defines myserver as a peer that requires authentication credentials from the local machine

Where to Go From Here

Task

For Instructions

Test the PAP authentication setup by calling the dial-in server

Procedures for calling the dial-in server, "How to Call the Dial-in Server"

Learn more about PAP authentication

"Password Authentication Protocol (PAP)"

Configuring CHAP Authentication

The tasks in this section explain how to implement authentication on a PPP link by using the Challenge-Handshake Authentication Protocol (CHAP). The tasks use the example that is shown in Figure 30-4 to illustrate a working CHAP scenario for dialing up a private network. Use the instructions as the basis for implementing CHAP authentication at your site.

Before you perform the next procedures, you must have done the following:

  • Set up and tested the dial-up link between the dial-in server and dial-out machines that belong to trusted callers

  • Obtained superuser permission for the local machine, either dial-in server or dial-out machine

Setting Up CHAP Authentication (Task Maps)

Table 33-4 Task Map for CHAP Authentication (Dial-in Server)

Task

Description

For Instructions

1. Assign CHAP secrets to all trusted callers

Create (or have the callers create) their CHAP secrets

"How to Create a CHAP Credentials Database (Dial-in Server)"

2. Create the chap-secrets database

Add the security credentials for all trusted callers to the /etc/ppp/chap-secrets file

"How to Create a CHAP Credentials Database (Dial-in Server)"

3. Modify the PPP configuration files

Add options specific to CHAP to the /etc/ppp/options and /etc/ppp/peers/peer-name files

"How to Add CHAP Support to the PPP Configuration Files (Dial-in Server)"

Table 33-5 Task Map for CHAP Authentication (Dial-out Machine)

Task

Description

For Instructions

1. Create the CHAP database for the trusted caller's machine

Create the security credentials for the trusted caller and, if necessary, security credentials for other users who call the dial-out machine, in /etc/ppp/chap-secrets.

"How to Create a CHAP Credentials Database (Dial-in Server)"

2. Modify the PPP configuration files

Add options specific to CHAP to the /etc/ppp/options file.

"How to Add CHAP Support to the PPP Configuration Files (Dial-out Machine)"

 		 
 
  Previous   Contents   Next