The configuration of the central-site
access routers and the remote site routers must provide the
following:
Traffic between the remote sites and the central site includes
confidential information. For that reason, authentication is a
primary concern. There are two ways for sites to authenticate
themselves:
- Point-to-Point Protocol (PPP)
authentication---Either the Password Authentication Protocol
(PAP) or the Challenge Handshake Authentication Protocol (CHAP)
can be used.
- Login authentication---With
login authentication, the router prompts for a host name and
password when a remote router dials in. The remote router logs
in and starts PPP.
In either case, the database of
usernames and passwords can be stored locally or on an extended
Terminal Access Controller Access System (TACACS+) server. TACACS+
provides centralized password management for all the central-site
access routers and detailed accounting information about connections
to and from the remote sites.
For the purposes of this network
design, login authentication is used because it allows the remote
sites to announce their IP addresses to the central-site access
routers. Alternatively, PPP could be started automatically if TACACS+
were used to support per-user IP address assignment.
|