System Administration Guide: Network Services
Previous Next

Configuring CHAP Authentication

The tasks in this section explain how to implement authentication on a PPP link by using the Challenge-Handshake Authentication Protocol (CHAP). The tasks use the example that is shown in Figure 16-4 to illustrate a working CHAP scenario for dialing up a private network. Use the instructions as the basis for implementing CHAP authentication at your site.

Before you perform the next procedures, you must have done the following:

  • Set up and tested the dial-up link between the dial-in server and dial-out machines that belong to trusted callers

  • Obtained superuser permission for the local machine, either dial-in server or dial-out machine

Setting Up CHAP Authentication (Task Maps)

Table 19-4 Task Map for CHAP Authentication (Dial-in Server)

Task

Description

For Instructions

1. Assign CHAP secrets to all trusted callers

Create, or have the callers create, their CHAP secrets.

How to Create a CHAP Credentials Database (Dial-in Server)

2. Create the chap-secrets database

Add the security credentials for all trusted callers to the /etc/ppp/chap-secrets file.

How to Create a CHAP Credentials Database (Dial-in Server)

3. Modify the PPP configuration files

Add options specific to CHAP to the /etc/ppp/options and /etc/ppp/peers/peer-name files.

How to Add CHAP Support to the PPP Configuration Files (Dial-in Server)

Table 19-5 Task Map for CHAP Authentication (Dial-out Machine)

Task

Description

For Instructions

1. Create the CHAP database for the trusted caller's machine

Create the security credentials for the trusted caller and, if necessary, security credentials for other users who call the dial-out machine, in /etc/ppp/chap-secrets.

How to Create a CHAP Credentials Database (Dial-in Server)

2. Modify the PPP configuration files

Add options specific to CHAP to the /etc/ppp/options file.

How to Add CHAP Support to the PPP Configuration Files (Dial-out Machine)

Configuring CHAP Authentication on the Dial-in Server

The first task in setting up CHAP authentication is modifying the /etc/ppp/chap-secrets file. This file contains the CHAP security credentials, including the CHAP secret, that are used to authenticate callers on the link.


Note - UNIX or PAM authentication mechanisms do not work with CHAP. For example, you cannot use the PPP login option as described in How to Create a PAP Credentials Database (Dial-in Server). If your authentication scenario requires PAM or UNIX-style authentication, choose PAP instead.


The next procedure implements CHAP authentication for a dial-in server in a private network. The PPP link is the only connection to the outside world. The only callers who can access the network have been granted permission by managers of the network, possibly including the system administrator.

How to Create a CHAP Credentials Database (Dial-in Server)

  1. Assemble a list that contains the user names of all trusted callers. Trusted callers include all people who have been granted permission to call the private network.
  2. Assign each user a CHAP secret.

    Note - Be sure to choose a good CHAP secret that is not easily guessed. No other restrictions are placed on the CHAP secret's contents.


    The method for assigning CHAP secrets depends on your site's security policy. Either you have the responsibility for creating the secrets, or the callers must create their own secrets. If you are not responsible for CHAP secret assignment, be sure to get the CHAP secrets that were created by, or for, each trusted caller.

  3. Become superuser on the dial-in server or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  4. Modify the /etc/ppp/chap-secrets file.

    Solaris PPP 4.0 includes an /etc/ppp/chap-secrets file that contains helpful comments but no options. You can add the following options for the server CallServe at the end of the existing /etc/ppp/chap-secrets file.

    account1 CallServe key123 *
    account2 CallServe key456 *

    key123 is the CHAP secret for trusted caller account1.

    key456 is the CHAP secret for trusted caller account2.

See Also

The following list provides references to related information.

Modifying the PPP Configuration Files for CHAP (Dial-in Server)

The task in this section explains how to update existing PPP configuration files to support CHAP authentication on the dial-in server.

How to Add CHAP Support to the PPP Configuration Files (Dial-in Server)

  1. Log in to the dial-in server as superuser.
  2. Modify the /etc/ppp/options file.

    Add the options that are shown in bold for CHAP support.

    # cat /etc/ppp/options
    lock
    nodefaultroute
    name CallServe
    auth
    name CallServe

    Defines CallServe as the CHAP name of the user on the local machine, in this instance the dial-in server

    auth

    Makes the local machine authenticate callers before establishing the link

  3. Create the remaining PPP configuration files to support the trusted callers.

    See How to Configure Users of the Dial-in Server and How to Define Communications Over the Serial Line (Dial-in Server).

See Also

To configure CHAP authentication credentials for trusted callers, refer to How to Create a CHAP Credentials Database (Dial-in Server).

Configuring CHAP Authentication for Trusted Callers (Dial-out Machines)

This section contains tasks for setting up CHAP authentication on the dial-out machines of trusted callers. Depending on your site's security policy, either you or the trusted callers might be responsible for setting up CHAP authentication.

For remote callers to configure CHAP, ensure that the callers' local CHAP secrets match the callers' equivalent CHAP secrets in the dial-in server's /etc/ppp/chap-secrets file. Then give the callers the tasks in this section for configuring CHAP.

Configuring CHAP for trusted callers involves two tasks:

  • Creating the callers' CHAP security credentials

  • Configuring the callers' dial-out machines to support CHAP authentication

How to Configure CHAP Authentication Credentials for the Trusted Callers

This procedure shows how to set up CHAP credentials for two trusted callers. The steps in the procedure assume that you, the system administrator, are creating the CHAP credentials on the trusted callers' dial-out machines.

  1. Become superuser on a dial-out machine or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

    Using the sample CHAP configuration in Example of a Configuration Using CHAP Authentication, assume that the dial-out machine belongs to trusted caller account1.

  2. Modify the chap-secrets database for caller account1.

    Solaris PPP 4.0 includes an /etc/ppp/chap-secrets file that has helpful comments but no options. You can add the following options to the existing /etc/ppp/chap-secrets file.

    account1 CallServe key123 *

    CallServe is the name for the peer that account1 is trying to reach. key123 is the CHAP secret to be used for links between account1 and CallServer.

  3. Become superuser on another dial-out machine or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

    Assume that this machine belongs to caller account2.

  4. Modify the /etc/ppp/chap-secrets database for caller account2.
    account2 CallServe key456 *

    Now, account2 has secret key456 as its CHAP credentials for use over links to peer CallServe.

See Also

The following list provides references to related information.

Adding CHAP to the Configuration Files (Dial-out Machine)

To learn more about CHAP authentication, refer to Challenge-Handshake Authentication Protocol (CHAP). The next task configures the dial-out machine that belongs to caller account1, which is introduced in Example of a Configuration Using CHAP Authentication.

How to Add CHAP Support to the PPP Configuration Files (Dial-out Machine)

  1. Log in to the dial-out machine as superuser.
  2. Ensure that the /etc/ppp/options file has the following options.
    # cat /etc/ppp/options
    lock
    nodefaultroute
  3. Create an /etc/ppp/peers/peer-name file for the remote machine CallServe.
    # cat /etc/ppp/peers/CallServe
    /dev/cua/a
    57600
    noipdefault
    defaultroute
    idle 120
    user account1
    connect "chat -U 'mypassword' -f /etc/ppp/mychat"

    The option user account1 sets account1 as the CHAP user name to be given to CallServe. For a description of the other options in the previous file, see the similar /etc/ppp/peers/myserver file in How to Define the Connection With an Individual Peer.

See Also

To test CHAP authentication by calling the dial-in server, refer to How to Call the Dial-in Server.

Previous Next