Authentication Options

Authentication for dial can be implemented in many different ways. It can be within PPP or outside of PPP, such as in the form of a login script or an after-dial terminal window. Within PPP, authentication can range from Password Authentication Protocol (PAP) to Challenge Handshake Authentication Protocol (CHAP) to Microsoft Challenge Handshake Authentication Protocol (MSCHAP). The username and password combinations can be stored on the router, a Remote Authentication Dial-In User Service (RADIUS) server, a Terminal Access Controller Access Control System (TACACS) server, or an Extended TACACS (TACACS+) server. You can also use any combination of these.

Because there are a myriad of possibilities, additional considerations are highlighted here to help you decide what form of authentication is best to use for your specific application and requirements.

The first and easiest decision to make is whether to use an authentication server, such as TACACS or RADIUS, or to configure fixed usernames and passwords directly on the router.

Authentication servers can centrally manage authentications for thousands of users who are dispersed geographically and connecting to the NASs. They include added features for handling static or dynamic Internet Protocol (IP) allocation, dial-out scenarios, and account lockouts for account misuse or terminations.

Having the authentication parameters all locally stored on the router is appealing for dial-on-demand backup scenarios where usernames, passwords, and phone numbers are static unless manually changed.

Next, you choose if you want PPP, a terminal window after connection, or a combination of both to handle authentication. This can be easily answered by reviewing your user-base and their needs. In almost all customer-oriented applications, you will most likely choose authentication through PPP only. However, in enterprise situations where some users have unique requirements, such as text-based dialup, you use a combination of both.

If you decide to use PPP, you can determine which form of authentication to use inside of PPP. The most common form is PAP, but in areas where security is a concern you might opt for MS-CHAP or CHAP. CHAP offers the highest level of security out of the three methods . CHAP is the most common form of authentication for dial-on-demand applications. As before, you can use a combination of all of these. For example, if your typical user dials in with Microsoft Dial-Up Networking, the default settings for authentication are PAP over PPP. You might have some users, especially non-Windows users, connecting through text, and you can configure the lines to auto-select text or PPP. If the core router uses a dial-on-demand link in the event of an outage , you can configure the backup link on the router with a static CHAP username and password.

The most common authentication for Internet Access (connecting to an ISP) is PAP. This is what most people are using when they connect to the Internet. In the corporate world and internal to a business, PAP is also used, but with one-time password tokens. This allows for simplistic end user setup along with the added security of an ever-changing password. In places where static (non-changing) passwords exist in the corporate world, CHAP prevails.

Finally, there is one last form of authentication that is potentially a more secure form. It uses dial-back authentication. In this case, the user places a call to the server. After it is authenticated, the server dials back to the client and authenticates again by using the client's phone number as an added security measure. Unfortunately, this type of authentication requires a fixed phone number, which is not possible for individuals who are traveling.

The configurations for the different types of authentication are covered in Chapter 6, "Dial Design and Configuration Solutions."