6.4 Scaling Dial-on-Demand Routing
6.4.4 Authentication
The configuration of the central-site access routers and the remote site routers must provide the following:

Traffic between the remote sites and the central site includes confidential information. For that reason, authentication is a primary concern. There are two ways for sites to authenticate themselves:
  • Point-to-Point Protocol (PPP) authentication---Either the Password Authentication Protocol (PAP) or the Challenge Handshake Authentication Protocol (CHAP) can be used.
  • Login authentication---With login authentication, the router prompts for a host name and password when a remote router dials in. The remote router logs in and starts PPP.

In either case, the database of usernames and passwords can be stored locally or on an extended Terminal Access Controller Access System (TACACS+) server. TACACS+ provides centralized password management for all the central-site access routers and detailed accounting information about connections to and from the remote sites.

For the purposes of this network design, login authentication is used because it allows the remote sites to announce their IP addresses to the central-site access routers. Alternatively, PPP could be started automatically if TACACS+ were used to support per-user IP address assignment.