SMIT Help Information for Point-to-Point Protocol(PPP

Note: The information contained in this article is structured as help information for the System Management Interface Tool (SMIT) and is not intended for general reading.

PPP

The Point-to-Point Protocol (PPP) provides a standardized method for network connections over supported point-to-point media. PPP is composed of the following parts:

A method for encapsulating datagrams

A link control protocol (LCP), a protocol used to maintain the point-to-point link

A family of Network Control Protocols (NCP) used to establish and configure network-layer protocols such as TCP/IP.


Link Control Configuration

Allows you to add, change, or remove the /etc/ppp/lcp_config link configuration file. The link configuration file enables you to set server and client connections and the number of network and async hdlc interfaces. The lcp_config file also provides the capability to override the LCP default configuration options (such as asynchronous character mapping) across all links.


PPP IP Interfaces

This option allows you to add, change, or remove the PPP TCP/IP server interfaces in the /etc/ppp/if_conf file.


Add a Link Configuration

Provides for the setting of server and client connections and the number of network and async hdlc interfaces. In addition to configuration values, default values (such as the negotiation of protocol compression) can be changed.

Note: Default values should not be changed unless a specific need arises.


Change / Show a Link Configuration

Provides for the altering of the /etc/ppp/lcp_config file.


Add a Server Interface

Adds PPP TCP/IP server interfaces. Server interfaces are differentiated from client interfaces by the existence of both Local and Remote TCP/IP addresses. Server interfaces provide a pool of TCP/IP interfaces. Incoming client connections establish a session and the next available server interface is allocated. The client obtains its IP address information during the IPCP option negotiation. You may specify one or more interfaces within an IP address range.


Change / Show a Server Interface

Allows for the alteration of a single existing IP interface. Changes do not take effect until the PPP subsystem is restarted.


Link Configuration

Provides the configuration information for the subsystem wide LCP values. These values are stored in the /etc/ppp/lcp_config file.


LINK Configuration

Provides the configuration information for the subsystem wide LCP values. These values are stored in the /etc/ppp/lcp_config file.


Start PPP

Starts the Point-to-Point Protocol (PPP) subsystem.

PPP provides a standardized method of network connections over supported point-to-point media.


Stop PPP

Stops the Point-to-Point Protocol (PPP) subsystem.

PPP provides a standardized method of network connections over supported point-to-point media.


PAP Authentication

The Password Authentication Protocol (PAP) enables you to restrict user access to a PPP authenticator host. Users allowed to access the authenticator host are defined in the /etc/ppp/pap-secrets file on both the peer and authenticator systems. Each user definition in the /etc/ppp/pap-secrets file contains the user name, remote host name, and password. The authenticator host compares these values to the values sent by the peer host requesting authentication. If the user name and password pair of the peer requesting authentication does not match an entry in the /etc/ppp/pap-secrets file, the PPP connection is not allowed.


CHAP Authentication

The Challenge-Handshake Authentication Protocol (CHAP) enables you to restrict peer access to a PPP authenticator host. Peers allowed to access the authenticator host are defined in the /etc/ppp/chap-secrets file on both the peer and authenticator systems. Each peer definition in the /etc/ppp/chap-secrets file contains the PPP subsystem names of the peer and the authenticator and a password. During PPP authentication, the authenticator uses the password to validate the peer requesting connection. If the CHAP authentication fails, the PPP connection is not allowed.

Optionally, you can configure CHAP to challenge the peer on a periodic basis. This periodic basis is the chap interval. You can set the chap interval in the Link Control Configuration SMIT menu.


Add a User

This option enables you to add a User name/Remote host/Password entry to the /etc/ppp/pap-secrets file. On the peer, the /etc/ppp/pap-secrets file is used to determine the password for the current user name and remote host setting (which may be set on the pppattachd command line). The peer sends this password along with the user name to the authenticator during PPP authentication. On the authenticator, the entries in the /etc/ppp/pap-secrets file are used to compare the password sent by the peer.

If the user's peer name, remote host name, or password contains one or more # characters, you must enclose that character with double quotation marks (") to prevent PPP from interpreting the # as a comment symbol. For example, if the user's peer name is user#1, type the string in the secrets file as "user#1".

You must have root user authority to add an entry to the /etc/ppp/pap-secrets file.


Add a User

This option enables you to add an entry to the /etc/ppp/chap-secrets file. An entry contains the peer's PPP subsystem name, the authenticator's PPP subsystem name, and a password. On the peer, the /etc/ppp/chap-secrets file is used to determine the password for the peer name and authenticator host setting. The peer uses this password to respond to the challenges sent by the authenticator. When the authenticator receives the response from the peer, the authenticator uses this entry to validate the peer. If the validation fails, the connection is not allowed. During this whole process, the password is never sent across the link.

If the user's peer name, remote host name, or password contains one or more # characters, you must enclose that character with double quotation marks (") to prevent PPP from interpreting the # as a comment symbol. For example, if the user's peer name is user#1, type the string in the secrets file as "user#1".

You must have root user authority to add an entry to the /etc/ppp/chap-secrets file.


Change / Show a User

This option enables you to view and change a User name/Remote host name/Password entry in the /etc/ppp/pap-secrets file. On the peer, the /etc/ppp/pap-secrets file is used to determine the password for the current user name and remote host setting (which may be set on the pppattachd command line). The peer uses this password to respond to the challenges sent by the authenticator. When the authenticator receives the response from the peer, the authenticator uses this entry to validate the peer. If the validation fails, the connection is not allowed. During this whole process, the password is never sent across the link.

If the user's peer name, remote host name, or password contains one or more # characters, you must enclose that character with double quotation marks (") to prevent PPP from interpreting the # as a comment symbol. For example, if the user's peer name is user#1, type the string in the secrets file as "user#1".

You must have root user authority to view and change an entry in the /etc/ppp/pap-secrets file.


Remove a User

This option enables you to remove a User name/Remote host/Password entry from the /etc/ppp/pap-secrets file. You must have root user authority to remove an entry from the /etc/ppp/pap-secrets file.


PAP User List

Displays a list of User/Remote host/Password entries in the /etc/ppp/pap-secrets file. You must have root user authority to access the /etc/ppp/pap-secrets file and its values.


User name

Enter the the user ID of the user authorized to establish a PPP connection to the authenticator host. This entry becomes the user name field in an entry in the /etc/ppp/pap-secrets file. If this name matches the user name specified in the pppattachd command or the PPP subsystem name if no name is specified in the pppattachd command, the peer uses this name and its corresponding password to attempt authentication with the authenticator host. An authenticator uses this field to match the user name sent by the peer. The authenticator compares the corresponding password with the password sent by the peer.

If the user's peer name, remote host name, or password contains one or more # characters, you must enclose that character with double quotation marks (") to prevent PPP from interpreting the # as a comment symbol. For example, if the user's peer name is user#1, type the string in the secrets file as "user#1".

You can specify an * (asterisk) character in place of the user name, but be careful if you do so. An asterisk in this field allows any user name to match this field. PPP evaluates entries in order of explicitness, evaluating entries containing * characters last. Thus, if an entry exists in the /etc/ppp/pap-secrets file that matches the user name and the remote host name, that entry is used. If authentication fails because the password is wrong, PPP does NOT check to see if any entries containing the * character match and contain the right password. For example, if user "lynn" on the peer attempts to connect to the authenticator host "steve" with password "nomad", the following entry in the authenticator's /etc/ppp/pap-secrets would allow the PPP connection:

User name                 *
Remote host name          steve
Password                  nomad

If the /etc/ppp/pap-secrets file also contains the following entry, the connection would be denied:

User name                 lynn
Remote host name          steve
Password                  chris

In this case, PPP uses the second entry instead of the first entry because the second entry is more explicit. The password sent by the peer "steve" does not match the password in this entry "chris," so the connection is denied.

The user name of the peer is the name specified in the pppattachd command with the user argument. If the user argument is not specified, the user name defaults to the PPP subsystem name defined in the Link Control Configuration screen of SMIT.

Note: If you are viewing the User name field from the Remove a User menu, pressing enter will remove authorization for the displayed user name.


Peer name

Enter the PPP subsystem name of the peer authorized to authenticate.

For CHAP authentication to succeed, matching entries must exist in the /etc/ppp/chap-secrets file on BOTH the peer and the authenticator host. For entries to match, the peer name fields must match, the authenticator name fields must match, and the password fields must match.

If the user's peer name, remote host name, or password contains one or more # characters, you must enclose that character with double quotation marks (") to prevent PPP from interpreting the # as a comment symbol. For example, if the user's peer name is user#1, type the string in the secrets file as "user#1".

You can specify an * (asterisk) character in place of the peer subsystem name, but be careful if you do so. An asterisk in this field allows any PPP subsystem name to match this field. PPP evaluates entries in order of explicitness, evaluating entries containing * characters last. Thus, if an entry exists in the /etc/ppp/chap-secrets file that matches the peer subsystem name and the authenticator host name, that entry is used. If authentication fails because the password is wrong, PPP does NOT check to see if any entries containing the * character match and contain the right password. For example, if peer subsystem "lynn" attempts to connect to the authenticator host "steve" with password "nomad", the following entry in the authenticator's /etc/ppp/chap-secrets would allow the PPP connection:

Peer name               *
Authenticator name      steve
Password                nomad

If the /etc/ppp/chap-secrets file also contains the following entry, the connection would be denied:

Peer name               lynn
Authenticator name      steve
Password                chris

In this case, PPP uses the second entry instead of the first entry because the second entry is more explicit. The password used by the peer ("nomad") does not match the password in this entry ("chris"), so the connection is denied.

>Note: If you are viewing the Peer name field from the Remove a CHAP User menu, pressing enter will unauthorize the subsystem name of the peer displayed.


Remote host name

Enter the remote host name that you want to authorize to authenticate. This entry becomes the remote host name field in an entry in the /etc/ppp/pap-secrets file. For most configurations, leaving this field as an * (asterisk) character gives the desired functionality. During PAP authentication, the name of the remote host is NOT transmitted across the link. If this field contains a specific host name, this host name must match the host name specified in the pppattachd command (with the remote argument) executed on this system.

If the user's peer name, remote host name, or password contains one or more # characters, you must enclose that character with double quotation marks (") to prevent PPP from interpreting the # as a comment symbol. For example, if the user's peer name is user#1, type the string in the secrets file as "user#1".

Specifying an * character in this field allows any remote host to match this field. PPP evaluates entries in order of explicitness, evaluating entries containing * characters last. Thus, if an entry exists in the /etc/ppp/pap-secrets file that matches the user name and the remote host name, that entry is used. For example, if user "lynn" on the peer attempts to connect to the authenticator host "steve", the following entry in the peer's /etc/ppp/pap-secrets file causes the peer to send the authenticator host the password "nomad":

User name                lynn
Remote host name         *
Password                 nomad

If the /etc/ppp/pap-secrets file also contains the following entry, the peer would send the authenticator host the password "chris":

User name                lynn
Remote host name         steve
Password                 chris

In this case, PPP uses the second entry instead of the first entry because the second entry is more explicit.

Note: If you are viewing the Remote host name field from the Remove a User menu, pressing enter will unauthorize the remote host displayed.


Authenticator name

Enter the PPP subsystem name of the authenticator host. (The PPP subsystem name of a system can be found using the SMIT Link Control Configuration menu.) This entry becomes the authenticator host name field in an entry in the /etc/ppp/chap-secrets file.

For CHAP authentication to succeed, matching entries must exist in the /etc/ppp/chap-secrets file on BOTH the peer and the authenticator host. For entries to match, the peer name fields must match, the authenticator name fields must match, and the password fields must match.

You can specify an * (asterisk) character in place of the authenticator name, but be careful if you do so. An asterisk in this field allows any PPP subsystem name to match this field. PPP evaluates entries in order of explicitness, evaluating entries containing * characters last. Thus, if an entry exists in the /etc/ppp/chap-secrets file that matches the peer subsystem name and the authenticator host name, that entry is used. If authentication fails because the password is wrong, PPP does NOT check to see if any entries containing the * character match and contain the right password. For example, if peer subsystem "lynn" attempts to connect to the authenticator host "steve" with password "nomad", the following entry in the authenticator's /etc/ppp/chap-secrets would allow the PPP connection:

Peer name               lynn
Authenticator name      *
Password                nomad

If the /etc/ppp/chap-secrets file also contains the following entry, the connection would be denied:

Peer name               lynn
Authenticator name      steve
Password                chris

In this case, PPP uses the second entry instead of the first entry because the second entry is more explicit. The password used by the peer ("nomad") does not match the password in this entry ("chris"), so the connection is denied.

Note: If you are viewing the Authenticator name field from the Remove a CHAP User menu, pressing enter will unauthorize the authenticator host displayed.


Change / Show a CHAP User

View or change an entry in the /etc/ppp/chap-secrets file. You must have root user authority to view entries in the /etc/ppp/chap-secrets file.

If the user's peer name, remote host name, or password contains one or more # characters, you must enclose that character with double quotation marks (") to prevent PPP from interpreting the # as a comment symbol. For example, if the user's peer name is user#1, type the string in the secrets file as "user#1".


Remove a CHAP User

Removes an entry from the /etc/ppp/chap-secrets file. This action affects all new connections. If a CHAP interval is defined, this action affects existing connections. You must have root user authority to remove an entry from the /etc/ppp/chap-secrets file.


CHAP User List

Displays the entries in the /etc/ppp/chap-secrets file. The peer name field corresponds to the PPP subsystem name of the peer requesting authentication. The authenticator name field corresponds to the PPP subsystem name of the authenticator host. The password field is used for authentication and must match on both the peer and authenticator for authentication to succeed.

You must have root user authority to access the entry in the /etc/ppp/chap-secrets file.


Force Authentication

Forces every attempted connection on this authenticator host to support a method of authentication. By default, this field is set to no and does not affect how PPP functions. Changes to this field do not take effect until the PPP subsystem is restarted.

Note: When set to yes, all accounts on this system that are not configured for authentication (using the pppattachd command) are not allowed to connect.


PPP Compression Enabled

Specify whether the PP subsystem is to negotiate PPP compression on the link. Set this value to no to allow backwards compatibility with prior configurations of AIX PPP. Set this value to yes to allow the AIX PPP subsystem to negotiate network layer compression over the PPP session. The default value is no.


Add a Demand Interface

Adds a PPP TCP/IP demand interface. A demand interface requires at least one IP address be specified in order to ensure that the IP traffic can cause a connection to be made. If you are adding this interface to provide a fixed incoming interface for a user, no addresses are required.


Change / Show a Demand Interface

Lists the IP demand interfaces that you can change, and allows you to change an existing IP demand interface. Changes do not take effect until the PPP subsystem is restarted.


Remove a Demand Interface

Lists IP demand interfaces that you can remove, and allows you to remove an existing IP demand interface. Changes do not take effect until the PPP subsystem is restarted.


PPP SNMP subagent password

This password is used when the PPP SNMP subagent registers with the SNMP daemon. The SNMP daemon might require a password from the PPP SNMP subagent when the subagent registers itself to the daemon.

This field is optional and should only be used if the SNMP daemon requires the password. If the "Enable PPP SNMP subagebt" field is set to No, any value in this field is stored, but is not used until the field is set to Yes.


Enable PPP SNMP subagent

Select this option to specify that the PPP subsystem is to be SNMP-enabled.

Set this value to Yes if you want the PPP subsystem to interact with the SNMP daemon. The PPP subsystem supports requests for the pppLink portion of the PPP MIB as defined in RFC 1471. Set this value to No if you want the PPP subsystem to perform as designed and not interact with the SNMP daemon. The default value is No.


PPP SNMP subagent community

The PPP SNMP subagent uses the community name when opening a connection with the SNMP daemon. The default value for this field is public.


Provides options for configuring the IPv6 interface.


Provides options for configuring the IP or IPv6 interface.


Provides options for adding an IPv6 server interface. A server interface requires at least one IP address be specified in order to ensure that the IP traffic can cause a connection to be made. If you are adding this interface to provide a fixed incoming interface for a user, no addresses are required.


Provides options for displaying information about the IPv6 server interface and for changing any of the characteristics.


Lists IPv6 server interfaces that you can select to remove. Changes do not take effect until the PPP subsystem is restarted.


Provides options for adding an IPv6 client interface.


Provides options for displaying information about the IPv6 client interface and for changing any of the characteristics.


Lists IPv6 client interfaces that you can select to remove. Changes do not take effect until the PPP subsystem is restarted.


Provides options for adding a IPv6 demand interface. A demand interface requires at least one IP address be specified in order to ensure that the IP traffic can cause a connection to be made. If you are adding this interface to provide a fixed incoming interface for a user, no addresses are required.


Provides options for displaying information about the IPv6 demand interface and for changing any of the characteristics.


Lists IPv6 demand interfaces that you can select to remove. Changes do not take effect until the PPP subsystem is restarted.


Provides options for adding an IP or IPv6 server interface.


Provides options for displaying information about the IP and IPv6 server interfaces and for changing any of the characteristics.


Lists existing IP and IPv6 server interfaces that you can select to remove. Changes do not take effect until the PPP subsystem is restarted.


Provides options for adding an IP or IPv6 client interface.


Provides options for displaying information about the IP and IPv6 client interfaces and for changing any of the characteristics.


Lists existing IP and IPv6 client interfaces that you can select to remove. Changes do not take effect until the PPP subsystem is restarted.


Provides options for adding an IP or IPv6 demand interface. A demand interface requires at least one IP address be specified in order to ensure that the IP traffic can cause a connection to be made. If you are adding this interface to provide a fixed incoming interface for a user, no addresses are required.


Provides options for displaying information about the IP and IPv6 demand interfaces and for changing any of the characteristics.


Lists existing IP and IPv6 demand interfaces that you can select to remove. Changes do not take effect until the PPP subsystem is restarted.


The maximum number of TCP/IPv6 interfaces to allow. The value is a decimal number. This number, along with "max ip interfaces" and "max ip & ipv6 interfaces" cannot be greater than total maximum number of server, client and demand links.

When a machine is used only as a client connecting up to one server, this field would be set to 1. On a server, this field would be set to the maximum number of IPv6 clients that can simultaneously connect to the server. (In this case, make sure that you have enough IPv6 interfaces defined.


The maximum number of TCP/IP and IPv6 interfaces to allow. The value is a decimal number. This number, along with "max ip interfaces" and "max ipv6 interfaces" can not be greater than total maximum number of server, client and demand links.

When a machine is used only as a client connecting up to one server, this field would be set to 1. On a server, this field would be set to the maximum number of IP & IPv6 clients that can simultaneously connect to the server. (In this case, make sure that you have enough IP & IPv6 interfaces defined.


Provides options for adding an IPv6 server interface.


Provides options for displaying information about the IPv6 server interface and for changing any of the characteristics.


Lists existing IPv6 server interfaces that you can select to remove. Changes do not take effect until the PPP subsystem is restarted.


Provides options for displaying information about the IPv6 server interface and for changing any of the characteristics.


Lists existing IPv6 server interfaces that you can select to remove. Changes do not take effect until the PPP subsystem is restarted.


Provides options for adding an IPv6 client interface.


Provides options for displaying information about the IPv6 client interface and for changing any of the characteristics.


The IPv6 adress of the local machine to be used as a client. The first 48 bits of the interface identifier are based on the machine serial number and represented by the first 3 groupings of hexidecimal values. The final 16 bits are randomly generated for the server and remote identifiers. It is recommended that you use the default identifiers that are provided. If you want to use an address other than the address provided, it is recommended that only the last 4 hexidecimal values be changed.


The IPv6 adress of the local machine to be used as a client. Only the lower 64 bits of the address are shown. The upper 64 bits will always be fe80 because PPP only supports link local connections. The first 48 bits of the interface identifier are based on the machine serial number and represented by the first 3 groupings of hexidecimal values. The final 16 bits are randomly generated for the server and remote identifiers. It is recommended that you use the default identifiers that are provided. If you want to use an address other than the address provided, it is recommended that only the last 4 hexidecimal values be changed.


Lists existing IPv6 client interfaces that you can select to remove. Changes do not take effect until the PPP subsystem is restarted.


The IPv6 adress of the server. The first 48 bits of the interface identifier are based on the machine serial number and represented by the first 3 groupings of hexidecimal values. The final 16 bits are randomly generated for the server and remote identifiers. If you want to use consecutive addresses, you must specify them one at a time (and use the value of 1 for the Number of Interface Identifiers). It is recommended that only the last 4 hexidecimal values be changed. After filling in the fields of this screen, press the Enter key to have the entries generated for the /etc/ppp/if_conf file.


The IPv6 address of the server machine.


The IPv6 adress of the server. The first 48 bits of the interface identifier are based on the machine serial number and represented by the first 3 groupings of hexidecimal values. The final 16 bits are randomly generated for the server and remote identifiers. If you want to use consecutive addresses, you must specify them one at a time (and use the value of 1 for the Number of Interface Identifiers). It is recommended that only the last 4 hexidecimal values be changed. After filling in the fields of this screen, press the Enter key to have the entries generated for the /etc/ppp/if_conf file.


The IPv6 address of the server machine.


The number of IPv6 interface identifiers that are configured. You can specify one if only a single interface is desired.


The IPv6 adress of the local machine to be used as a client. The first 48 bits of the interface identifier are based on the machine serial number and represented by the first 3 groupings of hexidecimal values. The final 16 bits are randomly generated for the server and remote identifiers. It is recommended that you use the default identifiers that are provided. If you want to use an address other than the address provided, it is recommended that only the last 4 hexidecimal values be changed.


The command string to run when the server IPv6 address is requested. Specified in the demand command string is the pppattachd command, the tty to be used, the type of connection, and the protocol used. The command typically used is "exec /usr/sbin/pppattachd /dev/tty1 demand ipv6 >/dev/tty1 nodaemon".


Select the demand command to be run.


Provides options for adding an IPv6 demand interface.


Provides options for displaying information about the IPv6 demand interface and for changing any of the characteristics.


Lists existing IPv6 demand interfaces that you can select to remove. Changes do not take effect until the PPP subsystem is restarted.


Select the server interface that you want to show or change.


Select the server interface that you want to add or change.


Lists existing IP and IPv6 server interfaces that you can select to remove. Changes do not take effect until the PPP subsystem is restarted.


Provides options for adding an IP or IPv6 client interface.


Provides options for adding an IP or IPv6 client interface.


Provides options for displaying information about the IP and IPv6 client interface and for changing any of the characteristics.


The IPv6 adress of the local machine to be used as a client. The first 48 bits of the interface identifier are based on the machine serial number and represented by the first 3 groupings of hexidecimal values. The final 16 bits are randomly generated for the server and remote identifiers. It is recommended that you use the default identifiers that are provided. If you want to use an address other than the address provided, it is recommended that only the last 4 hexidecimal values be changed.


The IPv6 adress of the local machine to be used as a client. The first 48 bits of the interface identifier are based on the machine serial number and represented by the first 3 groupings of hexidecimal values. The final 16 bits are randomly generated for the server and remote identifiers. It is recommended that you use the default identifiers that are provided. If you want to use an address other than the address provided, it is recommended that only the last 4 hexidecimal values be changed.


Select the client interface that you want to show or change.


Lists existing IP and IPv6 client interfaces that you can select to remove. Changes do not take effect until the PPP subsystem is restarted.


Select the client interface that you want to remove. Changes do not take effect until the PPP subsystem is restarted.


The IPv6 adress of the local machine to be used as a client. The first 48 bits of the interface identifier are based on the machine serial number and represented by the first 3 groupings of hexidecimal values. The final 16 bits are randomly generated for the server and remote identifiers. It is recommended that you use the default identifiers that are provided. If you want to use an address other than the address provided, it is recommended that only the last 4 hexidecimal values be changed.


The command string to run when the server IPv6 address is requested. Specified in the demand command string is the pppattachd command, the tty to be used, the type of connection, and the protocol used. The command typically used is "exec /usr/sbin/pppattachd /dev/tty1 demand ipv6 >/dev/tty1 nodaemon".


Select the demand command to be run.


Select the demand command to remove.