2
4.
If a network layer protocol is configured, the PPP link enters the Network-Layer Protocol phase
for NCP negotiation, such as IPCP negotiation and IPv6CP negotiation.
{
If the NCP negotiation succeeds, the link goes up and becomes ready to carry negotiated
network-layer protocol packets.
{
If the NCP negotiation fails, NCP reports a Down event and enters the Link Termination
phase.
If the interface is configured with an IP address, the IPCP negotiation is performed. IPCP
configuration options include IP addresses and DNS server IP addresses. After the IPCP
negotiation succeeds, the link can carry IP packets.
5.
After the NCP negotiation is performed, the PPP link remains active until either of the following
events occurs:
{
Explicit LCP or NCP frames close the link.
{
Some external events take place (for example, the intervention of a user).
PPP authentication
PPP supports the following authentication methods:
•
PAP
—PAP is a two-way handshake authentication protocol using the username and password.
PAP sends username/password pairs in plain text over the network. If authentication packets
are intercepted in transit, network security might be threatened. For this reason, it is suitable
only for low-security environments.
•
CHAP
—CHAP is a three-way handshake authentication protocol.
CHAP transmits usernames but not passwords over the network. It transmits the result
calculated from the password and random packet ID by using the MD5 algorithm. It is more
secure than PAP. The authenticator may or may not be configured with a username. As a best
practice, configure a username for the authenticator, which makes it easier for the peer to verify
the identity of the authenticator.
•
MS-CHAP
—MS-CHAP is a three-way handshake authentication protocol.
MS-CHAP differs from CHAP as follows:
{
MS-CHAP uses CHAP Algorithm 0x80.
{
MS-CHAP provides authentication retry. If the peer fails authentication, it is allowed to
retransmit authentication information to the authenticator for reauthentication. The
authenticator allows a peer to retransmit a maximum of three times.
•
MS-CHAP-V2
—MS-CHAP-V2 is a three-way handshake authentication protocol.
MS-CHAP-V2 differs from CHAP as follows:
{
MS-CHAP-V2 uses CHAP Algorithm 0x81.
{
MS-CHAP-V2 provides two-way authentication by piggybacking a peer challenge on the
Response packet and an authenticator response on the Acknowledge packet.
{
MS-CHAP-V2 supports authentication retry. If the peer fails authentication, it is allowed to
retransmit authentication information to the authenticator for reauthentication. The
authenticator allows a peer to retransmit a maximum of three times.
{
MS-CHAP-V2 supports password change. If the peer fails authentication because of an
expired password, it will send the new password entered by the user to the authenticator for
reauthentication.
PPP for IPv4
On IPv4 networks, PPP negotiates the IP address and DNS server address during IPCP negotiation.