Basic PPP Setup Guide for AIX 4.2 and 4.3


Contents

About this document
    Related documentation
Setting up AIX as a PPP client (outgoing calls)
Setting up AIX as a PPP server (incoming calls)
PAP security (PAP and CHAP authentication)

About this document

This document serves as a basic PPP setup guide and applies to AIX Versions 4.2 and 4.3.

Related documentation

Requests For Comments (upon which the AIX implementation of PPP is based)

        RFC 1661 
        RFC 1662 
        RFC 1332 

AIX support has a PPP "cookbook" explaining PPP in greater detail including packet formats and other low-level information.

AIX support has a document available on modem configuration including the configurations for several popular brands of modems.


Setting up AIX as a PPP client (outgoing calls)

Creating a tty

In order to dial out with PPP there must be a tty defined for the modem port. Add a tty via smit by executing the following command:

    smit maktty 

Select tty rs232 Asynchronous Terminal.

Select the parent adapter.

Configuring the modem

A brief overview for modem setup follows:

Setting up PPP in SMIT

Execute the following command:

    smit ppp 

Select:

    Link control configuration 

And then:

    Add a Link Configuration 

NOTE: Options preceded by an asterisk are present only in AIX 4.1.5 and 4.2.

    PPP subsystem name                               [] 
    max server connections                           [] 
    max client connections                           [] 
    *max demand connections                           [] 
    max ip interfaces                                [] 
    max async hdlc attachments                       [] 
    mru                                              [] 
    async character map                              [] 
    negotiate MRU                                       yes 
    negotiate async map                                 yes 
    negotiate protocol compression                      yes 
    negotiate address control compression               yes 
    force authentication                                no 
    *chap interval                                    [] 

PPP SUBSYSTEM NAME: usually ppp

MAX SERVER CONNECTIONS: This is the greatest number of clients that may be served at any one time. That is, the maximum number of interfaces provided by the server for PPP access by clients. Typically, this is the number of "dial-in" modems on the system. It must be 1 if any PPP client will be dialing in.

MAX CLIENT CONNECTIONS: This is the greatest number of outgoing connections at any one time. Typically, this is the number of "dial-out" modems on the system. It must be at least 1 if there will be any outgoing requests for a PPP connection.

* MAX DEMAND INTERFACES: This is the greatest number of peer connections allowed at any one time. These connections are established on demand. That is, they are triggered by an event (such as a ping to the remote PPP host). They are typically employed for ISDN or long-distance connections.

MAX IP INTERFACES: This is the total of the PPP interfaces for the system. Typically, it is the sum of max server connections, max client connections, and max demand connections.

MAX ASYNC HDLC ATTACHMENTS: This is the number of concurrently active PPP sessions allowed. Typically, it equals the Max IP interfaces.

Normally all other options are left at their default values. Use F1 in smit for context-sensitive help.

Start the PPP subsystem either via the smit ppp screen or execute the following command:

    startsrc -s pppcontrold 

Any changes to the link control configuration require that the PPP subsystem (pppcontrold) be stopped and restarted.

Things to check:

If PPP isn't running, there may be problems in the link control configuration (see above), or PPP updates are needed.

Chat scripts

A chat script is a file containing expect-send pairs separated by white space (spaces or new lines). These expect-send sequences instruct pppdial in how to dial-up and log into a remote PPP server.

For example:

    '' 
    ATDT555-5555 
    CONNECT 
    '' 
    in: 
    myuserid 
    word: 
    mypassword 

This script means:

    Expect nothing 
    Send the modem 'ATDT555-5555' (to make the modem dial this number) 
    Expect 'CONNECT' from modem 
    Send nothing 
    Expect '[log]in:' (the login prompt sent by the 
                           remote system) 
    Send my userid 
    Expect '[pass]word:' (the password prompt sent 
                              by the remote system) 
    Send my password 

This is only an example. Before trying to establish a PPP connection, dial out to the remote system and see what is required to log in and start PPP.

NOTE: See the pppdial man page for further information.

Capturing diagnostic output

Before dialing out, provide diagnostic information to use in case of failure to establish a connection.

  1. In /etc/syslog.conf add the line:
        *.debug  /tmp/ppp 
    
  2. Create the file /tmp/ppp and set the permissions so it can be written to:
        >/tmp/ppp 
        chmod +w /tmp/ppp 
    
  3. Tell syslogd that /etc/syslog.conf has been updated. Execute the following command:
        refresh -s syslogd 
    
  4. At AIX 4.2 or 4.3, pppcontrold can be set to provide more detailed output by sending it signal 30. Execute the following command:
        lssrc -s pppcontrold 
    

    Note the process ID (PID):

        kill -30 pppcontrold_PID 
    
    pppcontrold_PID is the PID number of pppcontrold returned by the lssrc command.

This will append to /tmp/ppp a message indicating that debugging has been activated. This diagnostic output can later be switched off by using kill -31 pppcontrold_PID. This option can be used when the PPP connection is being established and thereby provide protocol, addressing, PAP/CHAP, and other information.

Dialing out

pppattachd is started to establish a PPP link. It calls the pppdial program which uses the chat script to do the actual dial-out. The dial-out command to use should resemble the following:

    /usr/sbin/pppattachd client tty## connect\ 
    "/usr/sbin/pppdial -v -f CHAT_SCRIPT_FILE" 

tty## and CHAT_SCRIPT_FILE are those created in the steps above.

After issuing the command, watch the progression of the dial-out by executing the following command:

    tail -f /tmp/ppp 

/tmp/ppp is the file to which debug output has been directed. See the preceding subsection "Capturing diagnostic output".

NOTE: See the pppattachd man page for more options.

Troubleshooting: What to do before calling AIX support

If your PPP connection fails, verify the following:

  1. The dial-out tty has Enable LOGIN=disable in smit.
  2. netstat -in shows client interfaces. Before a connection is established, the IP addresses of these interfaces will be 0.0.0.0.
  3. pppcontrold is running; execute the following command:
        lssrc -s pppcontrold 
    
  4. The latest PPP fileset revisions have been applied (use: lslpp -h bos.net.ppp).
        for AIX 4.1.4  get at least level  4.1.4.10 
        for AIX 4.1.5  get at least level  4.1.5.5 
        for AIX 4.2.0  get at least level  4.2.0.8 
        for AIX 4.2.1  get at least level  4.2.1.6 
    
  5. The ppp subsystem has been restarted after any change to the configuration. This may be done via smit or by executing the following commands:
        stopsrc -cs pppcontrold 
        startsrc -s pppcontrold 
    

Have the following information before calling AIX support:

  1. The output of lslpp -h bos.net.ppp
  2. The diagnostic output (see the preceding subsection "Capturing diagnostic output")
  3. The contents of the following:
        /etc/ppp/if_conf 
        /etc/ppp/ppp.conf 
        /etc/ppp/if_link.map 
        /etc/ppp/lcp_config 
    
  4. Whether the server requires PAP or CHAP security authentication protocol

Setting up AIX as a PPP server (incoming calls)

Creating a tty

In order to dial out with PPP there must be a tty defined for the modem port. Add a tty via smit. Execute the following command:

    smit maktty 

Select tty rs232 Asynchronous Terminal.

Select the parent adapter.

Configuring the modem

See the subsection "Configuring the modem" in the preceding section.

Creating a PPP user

When AIX acts as a PPP server, a caller dialing into the server will be presented with a login prompt. PPP should be initiated on the server by the caller correctly entering the user ID and password. The ID used must have a .profile that starts PPP.

  1. Create a user by executing the following command:
        smit mkuser 
    

    Assign a user name (for example, pppuser).

    Leave other options at their default values.

  2. Give the user a password by executing the following command:
        smit passwd 
    

    Enter the user name and assign a password.

  3. Streamline the login process. At the initial login the new user will be prompted to change the assigned password; however, the chat script (see the "Chat scripts" subsection of the preceding section) Cannot do this. Switch off this prompt for a new password by executing the following command:
        pwdadm -f NOCHECK USER_ID 
    

    USER_ID is the newly created PPP user (typically pppuser as in step 1 above).

  4. Add the PPP start-up command to the user's .profile. cd to the user's home directory (for example, cd /home/pppuser), edit the .profile file and add the following line to the end of the .profile:
        exec /usr/sbin/pppattachd server 2>/dev/null 
    

    NOTE: See the pppattachd man page for more options.

  5. Log on as the user from any terminal on the system. After correctly entering the user ID and password, some "junk" characters should be displayed. These indicate pppattachd activity in trying to negotiate a PPP connection. After about a minute, a login prompt should appear.

Configuring PPP in SMIT

  1. Configure the link control configuration. See the subsection "Setting up PPP in SMIT" in the preceding section and follow the steps there.

  2. To configure PPP IP interfaces, execute the following:
        smit ppp 
    

    Select:

        PPP IP interfaces 
    

    And then:

        Add a server interface 
        Local IP address                    [] 
        Starting Remote IP address          [] 
        Number of addresses                 [] 
        Netmask                             [] 
    

    LOCAL IP ADDRESS: This is a unique IP address assigned to the PPP interface that identifies the PPP server. This should be on a separate subnet from other network interfaces on the system.

    STARTING REMOTE IP ADDRESS: This is the lowest IP address that the server will assign to a PPP client.

    NUMBER OF ADDRESSES: This is the number of PPP client addresses available for assignment. Typically, equal to the highest IP address less the lowest IP address with 1 added to the result.

    NETMASK: This is the desired subnet mask.

    For example: If you have 5 modems into which PPP clients will be dialing, pick your IP (for example, 1.1.1.1) and a starting IP address to assign clients (1.1.1.2) and the number of addresses (5) that you would assign to clients. Clients could then be assigned 1.1.1.2 - 1.1.1.6.

  3. Start the PPP subsystem either via the smit ppp screen or by executing the following command:
        startsrc -s pppcontrold 
    

Things to check at this point:

If PPP isn't running, either there are problems in the link control configuration or server interfaces, or PPP updates are needed.

Troubleshooting: What to do before calling AIX support

  1. Verify that a caller can dial up to the system and log in as the PPP user. PPP problems are often modem or tty configuration errors.
  2. Check netstat -in output to be sure there are client interfaces. Before a connection is established, the IP addresses of these interfaces will be 0.0.0.0.
  3. Verify that pppcontrold is running by executing the following command:
        lssrc -s pppcontrold 
    

    If changes are made to any ppp configuration, pppcontrold must be stopped and restarted. This can be done via smit ppp or by executing the following commands:

        stopsrc -cs pppcontrold 
        startsrc -s pppcontrold 
    
  4. Check for the latest PPP fileset revisions (use lslpp -h bos.net.ppp)
        for AIX 4.1.4  get at least level  4.1.4.10 
        for AIX 4.1.5  get at least level  4.1.5.5 
        for AIX 4.2.0  get at least level  4.2.0.8 
        for AIX 4.2.1  get at least level  4.2.1.6 
    

Have the following information before calling AIX support:

  1. The output of lslpp -h bos.net.ppp
  2. The diagnostic output (see the subsection "Capturing diagnostic output" in the preceding section)
  3. The contents of the following directories:
        /etc/ppp/if_conf 
        /etc/ppp/ppp.conf 
        /etc/ppp/if_link.map 
        /etc/ppp/lcp_config 
    

PPP demand connections

A demand connection can be either 'dial-out' (like a client connection) or 'dial-in' (like a server connection). However, a dial-out demand connection makes use of the routing tables as the connection is automatically established, and a dial-in demand connection may be used to assign the same IP address to a user every time the user connects.

Dial-out demand interfaces

  1. Configure the tty.

    See the subsection "Creating a tty" in the preceding section.

  2. Configure the modem.

    See the subsection "Configuring the modem" in the preceding section.

  3. Set up PPP in SMIT.

    See the subsection "Setting up PPP in SMIT" in the preceding section.

    Fill in the number of demand connections. For example, when one modem will be used for a demand connection, and there will be no server or client connections, configure 0 server, 0 client, and 1 demand connection.

  4. Create the dial-out script.

    1. Copy the sample dial-out script /etc/ppp/dial-out.example to another file, for example, /tmp/demandtest.

    2. Edit /tmp/demandtest by filling in the phone number to dial, the user-ID and password to send the remote system, the tty from which to dial, and so on. Uncomment the DEMAND section of the script. Make the script executable by executing the following command:
          chmod +x /tmp/demandtest 
      
    3. Set the demand interface:
          smit ppp 
            PPP IP interfaces 
              Add a demand interface 
              Local IP address                      [] 
              Starting Remote IP address            [] 
              Demand Command                        [] 
              Netmask                               [] 
      

    Fill in the local IP address (the IP address of the PPP interface on the system being configured), the IP address of the remote system (this address must be an already established and static address, that is, not one dynamically assigned), and, as a quoted string, the name of the demand command (for example, /tmp/pppdemandtest) that is invoked to establish the connection.

  5. STOP AND RESTART THE PPP SUBSYSTEM BEFORE CONTINUING. Execute the following command:
        stopsrc -cs pppcontrold 
        startsrc -s pppcontrold 
    

Troubleshooting

A ping to the remote IP address should result in a dial-out to that system. If there is no dial-out, then do the following:

  1. Ensure that the login of the dial-out tty is disabled.
  2. Ensure that the dial-out script for the demand connection is executable.
  3. Review the subsection "Troubleshooting: What to do before calling AIX support" in the preceding section.

Dial-in demand connections

  1. Configure the tty.

    See the preceding subsection "Creating a tty" in this section.

  2. Configure the modem.

    See the subsection "Configuring the modem" in the preceding section.

  3. Set up PPP via SMIT.

    1. Set up the LCP.

      See the subsection "Setting up PPP in SMIT" in the preceding section.

      Fill in the number of demand connections. For example, in the case of a modem being used for a demand connection, and no server or client connections, configure 0 server, 0 client, and 1 demand connection.

    2. PPP IP configuration
          smit ppp 
            PPP IP interfaces 
              Add a demand interface 
              Local IP address                      [] 
              Starting Remote IP address            [] 
              Demand Command                        [] 
              Netmask                               [] 
      

      Fill in the Local IP address (the IP address of the PPP interface on the system being configured) and the IP address to assign to the remote system. Leave the Demand Command field blank.

  4. Create the PPP user.

    In order to start PPP on the target system, a PPP user must exist on that system. The .profile of this PPP user invokes the pppattachd command which starts PPP.

    1. Create the user by executing the following:
          mkuser USERNAME      (or use smit mkuser) 
          passwd USERNAME    (assign the user a password) 
            pwdadm -f NOCHECK USER_NAME 
      
    2. Alter the user's .profile to start PPP by appending
          export PPP_DEMAND_NET=## 
          exec /usr/sbin/pppattachd demand 
      

      The user will be assigned the address of the remote system PPP interface. For example, append the following:

          export PPP_DEMAND_NET=0 
          exec /usr/sbin/pppattachd demand 
      

    In this case, the user logging in will be assigned the IP address of the network interface pp0 on the remote system (see the output of ifconfig pp0).

For more information and additional configuration options, see the man pages for pppattachd.

Troubleshooting

See the preceding subsection "Troubleshooting: What to do before calling AIX support" in this section.


PAP security (PAP and CHAP Authentication)

PAP (Password Authentication Protocol)

The user ID and password used in PAP are not those used to log in to an AIX system but are used in a single instance following the start of PPP. In AIX, passwords used in PAP are stored in the /etc/ppp/pap-secrets file as viewable text and are transmitted in UN-encrypted form. When the authenticator finds a match between the user ID and password sent by a peer and an existing user ID and password in the pap-secrets file, the peer has been authenticated.

  1. Authenticator configuration

    The authenticator can be the calling system (client) or the system that is being called (server), or both systems can perform authentication. The authenticator receives the user ID and password from the client or server (the peer) and seeks a match in its pap-secrets file to determine whether a connection should be allowed.

    To configure an authenticator, execute the following:

        smit ppp 
    

    Select:

        PAP Authentication 
    

    Then:

        Add a user 
        User name             [] 
        Remote host name      [*] 
        Password              [] 
    

    USER NAME: This is the name to be received by the authenticator from the peer requesting a connection. An asterisk in the User name field will provide a match for any user name sent by a peer (that is, it makes valid any user name proffered to the authenticator).

    REMOTE HOST NAME: This is the peer's hostname sent by the peer and received by the authenticator. It is verified by the authenticating host by finding a match in its /etc/ppp/pap-secrets file. Leaving the default asterisk allows the PAP user to connect from any system. In many PAP implementations the hostname is not sent during PAP negotiation.

    PASSWORD: This is the password to be sent by the peer. It must be the password for the user name with which it was sent and must exist with this association in the pap-secrets file of the authenticating host before a connection will be granted by that host.

    Client (dial-out) authenticator

    Where the PPP client (the system from which the user is dialing out) is to act as the PAP authenticator, modify the pppattachd command by adding authenticate pap:

        /usr/sbin/pppattachd client /dev/tty0 authenticate pap \ 
        connect "/usr/sbin/pppdial -t -v CHAT_SCRIPT_FILE" 
    

    See the subsection "Dialing out" in the preceding section "Setting up AIX as a PPP client (outgoing calls)".

    Server (dial-in) authenticator

    Where the PPP server (the system into which the user is dialing) is to act as the PAP authenticator, modify the pppattachd command in the PPP user's .profile thus:

        exec /usr/sbin/pppattachd server authenticate pap 2>/dev/null 
    

    See the subsection "Creating a PPP user" in the preceding section "Setting up AIX as a PPP server (incoming calls)".

  2. Peer configuration

    The system that sends a PAP user name and password to the PAP authenticator for verification is a peer.

    To configure a PAP peer execute the following:

        smit ppp 
    

    Select:

        PAP Authentication 
    

    Then:

        Add a user 
        User name             [] 
        Remote host name      [*] 
        Password              [] 
    

    USER NAME: This is the name for the peer to send to the authenticator. It must exist on the authenticating host before that host will grant a connection. An asterisk in the User name field will be validated by the authenticator regardless of the actual user name (that is, it makes valid any user name proffered to the authenticator). The user name is specified by the peer in the pppattachd command, and the corresponding password is taken from the peer's /etc/ppp/pap-secrets file.

    REMOTE HOST NAME: This is the hostname of the authenticator. (The name added to the /etc/ppp/pap-secrets file.)

    PASSWORD: This is the password for the user name sent to the authenticating host. For authentication to succeed, the password must match the password given for the user on the authenticator.

Client (dial-out) peer

If AIX is a PPP client dialing out to a PPP server (see the subsection "Dialing out" in the preceding section "Setting up AIX as a PPP client (outgoing calls)"), and this AIX client is a PAP peer, and the remote system is the PAP authenticator, then supply the keyword pap as well as the user name and password on the pppattachd command line:

    /usr/sbin/pppattachd client /dev/tty0 peer pap user USER_NAME \ 
    connect "/usr/sbin/pppdial -v -f CHAT_SCRIPT_FILE 

CHAT_SCRIPT_FILE is the chat script created in the subsection "Chat scripts" of the preceding section "Setting up AIX as a PPP client (outgoing calls)".

Server (dial-in) peer

If AIX is a PPP server (that is, if it receives incoming calls) and the client (the calling system) is the PAP authenticator, then the following line must appear in the PPP user .profile on the PPP server (see the subsection "Creating a PPP user" in the preceding section "Setting up AIX as a PPP server (incoming calls)"):

    exec /usr/sbin/pppattach server peer pap user USER_NAME 2>/dev/null 

USER_NAME is the PAP user configured on both the peer and authenticator.

CHAP

Challenge Handshake Authentication Protocol (CHAP) is a more secure means of PPP authentication. Unlike PAP, where authentication occurs at the beginning of the connection and only once, in CHAP the authenticator may issue a challenge to the peer at any time during the connection. The peer's reply is encrypted before transmission and changes depending on the challenge from the authenticator.

NOTE: Microsoft uses a CHAP algorithm that differs from that of AIX. The Windows 95 / Windows NT CHAP protocol is incompatible with AIX.

  1. CHAP authenticator

    The CHAP authenticator is the system that issues challenges to the peer. If the peer has the correct password, it can combine the challenge from the authenticator and the correct CHAP secret to formulate the correct response to the challenge.

    To configure a CHAP authenticator, execute the following:

        smit ppp 
    

    Select:

        CHAP authentication 
    

    Then:

        Add a user 
        Peer name            [] 
        Authenticator name   [] 
        Password             [] 
    

    PEER NAME: This is the peer's PPP SUBSYSTEM NAME to be received by the authenticator. It is stored by the authenticator in its /etc/ppp/chap-secrets file. An asterisk in lieu of a name will result in the authentication of any name received by the authenticator.

    AUTHENTICATOR NAME: This is the PPP SUBSYSTEM NAME of the authenticatiing host.

    PASSWORD: This is the password to be received from the peer.

    Client (dial-out) authenticator

    If AIX is a PPP client dialing out to a PPP server (see the subsection "Dialing out" in the preceding section "Setting up AIX as a PPP client (outgoing calls)"), and this AIX client is a CHAP authenticator, then include authenticate chap in the pppattachd command. For example:

        /usr/sbin/pppattachd client tty0 authenticate chap connect \ 
        "/usr/sbin/pppdial -v -f CHAT_SCRIPT_FILE" 
    

    CHAT_SCRIPT_FILE is the chat script created in the subsection "Chat scripts" of the preceding section "Setting up AIX as a PPP client (outgoing calls)".

    Server (dial-in) authenticator

    If AIX is a PPP server (that is, if it receives incoming calls) and this AIX server is a CHAP authenticator, then include in its pppuser .profile (see the subsection "Creating a PPP user" in the preceding section "Setting up AIX as a PPP server (incoming calls)") the keywords authenticate chap:

        exec /usr/sbin/pppattachd server authenticate chap 2>/dev/null 
    
  2. CHAP peer

    The CHAP peer is the system that the authenticator challenges to supply a correct response. The authenticator typically challenges the peer at a regular interval (see the CHAP interval setting in smit under the link control configuration).

    To configure a CHAP peer, execute the following:

        smit ppp 
    

    Select:

        CHAP authentication 
    

    Then:

        Add a user 
        Peer name            [] 
        Authenticator name   [] 
        Password             [] 
    

    PEER NAME: This is the peer's PPP SUBSYSTEM NAME which will be sent to the authenticator.

    AUTHENTICATOR NAME: This is the PPP SUBSYSTEM NAME of the authenticating host, that is, of that host that will challenge the peer to provide the password.

    PASSWORD: This is the password to be sent by the peer to the authenticator. It must match the password stored by the authenticator in order for CHAP to succeed.

    Client (dial-out) peer

    If AIX is a PPP client dialing out to a PPP server (see the subsection "Dialing out" in the preceding section "Setting up AIX as a PPP client (outgoing calls)"), and this AIX client is a CHAP peer, and the remote system is the CHAP authenticator, then supply the keywords peer chap in the pppattachd command:

        /usr/sbin/pppattachd client tty0 peer chap connect \ 
        "/usr/sbin/pppdial -v -f CHAT_SCRIPT_FILE" 
    

    CHAT_SCRIPT_FILE is the chat script created in the subsection "Chat scripts" of the preceding section "Setting up AIX as a PPP client (outgoing calls)".

    Server (dial-in) peer

    If AIX is a PPP server (that is, if it receives incoming calls) (see the subsection "Creating a PPP user" in the preceding section "Setting up AIX as a PPP server (incoming calls)") then the following line must appear in the PPP server pppuser .profile:

        exec /usr/sbin/pppattachd server peer chap 2>/dev/null 
    




[ Doc Ref: 90605195914810     Publish Date: Aug. 09, 2000     4FAX Ref: 8178 ]