CHAP-enhanced PPP daemon

This is an enhanced version of the PPP implementation for Linux/Solaris/BSD-style systems, that extends Challenge Request/response authentication scheme with Radius-capabilities.

The Point-to-Point Protocol (PPP) [1] provides a standard method for transporting multi-protocol datagrams over point-to-point links. For Linux and Solaris a common PPP implementation is available that supports different authentication schemes, e.g. PAP (Password Authentication Protocol/RFC1334), CHAP (Challenge Handshake Authentication Protocol/RFC1994) and its extended successsors like MS-CHAP.

In order to establish communications over a point-to-point link, each end of the PPP link must first send LCP packets to configure the data link during Link Establishment phase. After the link has been established, PPP provides for an optional Authentication phase before proceeding to the Network-Layer Protocol phase. By default, authentication is not mandatory. If authentication of the link is desired, an implementation MUST specify the Authentication-Protocol Configuration Option during Link Establishment phase.

A PPP implementation might use a backend authentication service by utilising the RADIUS protocol to agree about a users authentication information. The standard PPP implementation for Linux does not include native RADIUS support, but offers an interface to the PAM-library (PAM - Pluggable Authentication Modules [4]), that is available on Linux and Solaris. Within the freeradius project [5], a radius-capable PAM module has been designed that might be used with the PPP daemon. While this solution offers interconnection of PPP and a radius server the PAM-Radius module and its interacticon are limited to one authentication method within the PPP link authentication phase, the Password Authentication Protocol (PAP).

PAP is not a strong authentication method. Passwords are sent over the circuit "in the clear", and there is no protection from playback or repeated trial and error attacks. Therefore the use of PAP is not recommended.

To improve authentication process security, the existing Challenge-Request/Response (CHAP) authentication scheme was enhanced by a radius module providing a radius authentication.