Requests For Comments (upon which the AIX implementation of PPP is based)
RFC 1661 RFC 1662 RFC 1332
AIX support has a PPP "cookbook" explaining PPP in greater detail including packet formats and other low-level information.
AIX support has a document available on modem configuration including the configurations for several popular brands of modems.
In order to dial out with PPP there must be a tty defined for the modem port. Add a tty via smit by executing the following command:
smit maktty
Select tty rs232 Asynchronous Terminal.
Select the parent adapter.
A brief overview for modem setup follows:
lslpp -h bos.net.uucp
Direct tty## - baud_rate direct
tty## is the tty created above and baud_rate is the Baud rate set for that tty.
Execute the following command:
cu -dml tty##
connected should be displayed. Enter AT. The modem should respond with OK. Modem setup strings vary, but a frequently used, generic setup string is as follows:
AT&F&C1&D2S0=1Q2&W
A different string may be required by your modem.
~.<Enter>
Execute the following command:
smit ppp
Select:
Link control configuration
And then:
Add a Link Configuration
NOTE: Options preceded by an asterisk are present only in AIX 4.1.5 and 4.2.
PPP subsystem name [] max server connections [] max client connections [] *max demand connections [] max ip interfaces [] max async hdlc attachments [] mru [] async character map [] negotiate MRU yes negotiate async map yes negotiate protocol compression yes negotiate address control compression yes force authentication no *chap interval []
PPP SUBSYSTEM NAME: usually ppp
MAX SERVER CONNECTIONS: This is the greatest number of clients that may be served at any one time. That is, the maximum number of interfaces provided by the server for PPP access by clients. Typically, this is the number of "dial-in" modems on the system. It must be 1 if any PPP client will be dialing in.
MAX CLIENT CONNECTIONS: This is the greatest number of outgoing connections at any one time. Typically, this is the number of "dial-out" modems on the system. It must be at least 1 if there will be any outgoing requests for a PPP connection.
* MAX DEMAND INTERFACES: This is the greatest number of peer connections allowed at any one time. These connections are established on demand. That is, they are triggered by an event (such as a ping to the remote PPP host). They are typically employed for ISDN or long-distance connections.
MAX IP INTERFACES: This is the total of the PPP interfaces for the system. Typically, it is the sum of max server connections, max client connections, and max demand connections.
MAX ASYNC HDLC ATTACHMENTS: This is the number of concurrently active PPP sessions allowed. Typically, it equals the Max IP interfaces.
Normally all other options are left at their default values. Use F1 in smit for context-sensitive help.
Start the PPP subsystem either via the smit ppp screen or execute the following command:
startsrc -s pppcontrold
Any changes to the link control configuration require that the PPP subsystem (pppcontrold) be stopped and restarted.
Things to check:
If PPP isn't running, there may be problems in the link control configuration (see above), or PPP updates are needed.
A chat script is a file containing expect-send pairs separated by white space (spaces or new lines). These expect-send sequences instruct pppdial in how to dial-up and log into a remote PPP server.
For example:
'' ATDT555-5555 CONNECT '' in: myuserid word: mypassword
This script means:
Expect nothing Send the modem 'ATDT555-5555' (to make the modem dial this number) Expect 'CONNECT' from modem Send nothing Expect '[log]in:' (the login prompt sent by the remote system) Send my userid Expect '[pass]word:' (the password prompt sent by the remote system) Send my password
This is only an example. Before trying to establish a PPP connection, dial out to the remote system and see what is required to log in and start PPP.
NOTE: See the pppdial man page for further information.
Before dialing out, provide diagnostic information to use in case of failure to establish a connection.
*.debug /tmp/ppp
>/tmp/ppp chmod +w /tmp/ppp
refresh -s syslogd
lssrc -s pppcontrold
Note the process ID (PID):
kill -30 pppcontrold_PIDpppcontrold_PID is the PID number of pppcontrold returned by the lssrc command.
This will append to /tmp/ppp a message indicating that debugging has been activated. This diagnostic output can later be switched off by using kill -31 pppcontrold_PID. This option can be used when the PPP connection is being established and thereby provide protocol, addressing, PAP/CHAP, and other information.
pppattachd is started to establish a PPP link. It calls the pppdial program which uses the chat script to do the actual dial-out. The dial-out command to use should resemble the following:
/usr/sbin/pppattachd client tty## connect\ "/usr/sbin/pppdial -v -f CHAT_SCRIPT_FILE"
tty## and CHAT_SCRIPT_FILE are those created in the steps above.
After issuing the command, watch the progression of the dial-out by executing the following command:
tail -f /tmp/ppp
/tmp/ppp is the file to which debug output has been directed. See the preceding subsection "Capturing diagnostic output".
NOTE: See the pppattachd man page for more options.
If your PPP connection fails, verify the following:
lssrc -s pppcontrold
for AIX 4.1.4 get at least level 4.1.4.10 for AIX 4.1.5 get at least level 4.1.5.5 for AIX 4.2.0 get at least level 4.2.0.8 for AIX 4.2.1 get at least level 4.2.1.6
stopsrc -cs pppcontrold startsrc -s pppcontrold
Have the following information before calling AIX support:
/etc/ppp/if_conf /etc/ppp/ppp.conf /etc/ppp/if_link.map /etc/ppp/lcp_config
In order to dial out with PPP there must be a tty defined for the modem port. Add a tty via smit. Execute the following command:
smit maktty
Select tty rs232 Asynchronous Terminal.
Select the parent adapter.
See the subsection "Configuring the modem" in the preceding section.
When AIX acts as a PPP server, a caller dialing into the server will be presented with a login prompt. PPP should be initiated on the server by the caller correctly entering the user ID and password. The ID used must have a .profile that starts PPP.
smit mkuser
Assign a user name (for example, pppuser).
Leave other options at their default values.
smit passwd
Enter the user name and assign a password.
pwdadm -f NOCHECK USER_ID
USER_ID is the newly created PPP user (typically pppuser as in step 1 above).
exec /usr/sbin/pppattachd server 2>/dev/null
NOTE: See the pppattachd man page for more options.
smit ppp
Select:
PPP IP interfaces
And then:
Add a server interface Local IP address [] Starting Remote IP address [] Number of addresses [] Netmask []
LOCAL IP ADDRESS: This is a unique IP address assigned to the PPP interface that identifies the PPP server. This should be on a separate subnet from other network interfaces on the system.
STARTING REMOTE IP ADDRESS: This is the lowest IP address that the server will assign to a PPP client.
NUMBER OF ADDRESSES: This is the number of PPP client addresses available for assignment. Typically, equal to the highest IP address less the lowest IP address with 1 added to the result.
NETMASK: This is the desired subnet mask.
For example: If you have 5 modems into which PPP clients will be dialing, pick your IP (for example, 1.1.1.1) and a starting IP address to assign clients (1.1.1.2) and the number of addresses (5) that you would assign to clients. Clients could then be assigned 1.1.1.2 - 1.1.1.6.
startsrc -s pppcontrold
Things to check at this point:
If PPP isn't running, either there are problems in the link control configuration or server interfaces, or PPP updates are needed.
lssrc -s pppcontrold
If changes are made to any ppp configuration, pppcontrold must be stopped and restarted. This can be done via smit ppp or by executing the following commands:
stopsrc -cs pppcontrold startsrc -s pppcontrold
for AIX 4.1.4 get at least level 4.1.4.10 for AIX 4.1.5 get at least level 4.1.5.5 for AIX 4.2.0 get at least level 4.2.0.8 for AIX 4.2.1 get at least level 4.2.1.6
Have the following information before calling AIX support:
/etc/ppp/if_conf /etc/ppp/ppp.conf /etc/ppp/if_link.map /etc/ppp/lcp_config
A demand connection can be either 'dial-out' (like a client connection) or 'dial-in' (like a server connection). However, a dial-out demand connection makes use of the routing tables as the connection is automatically established, and a dial-in demand connection may be used to assign the same IP address to a user every time the user connects.
See the subsection "Creating a tty" in the preceding section.
See the subsection "Configuring the modem" in the preceding section.
See the subsection "Setting up PPP in SMIT" in the preceding section.
Fill in the number of demand connections. For example, when one modem will be used for a demand connection, and there will be no server or client connections, configure 0 server, 0 client, and 1 demand connection.
chmod +x /tmp/demandtest
smit ppp PPP IP interfaces Add a demand interface Local IP address [] Starting Remote IP address [] Demand Command [] Netmask []
Fill in the local IP address (the IP address of the PPP interface on the system being configured), the IP address of the remote system (this address must be an already established and static address, that is, not one dynamically assigned), and, as a quoted string, the name of the demand command (for example, /tmp/pppdemandtest) that is invoked to establish the connection.
stopsrc -cs pppcontrold startsrc -s pppcontrold
A ping to the remote IP address should result in a dial-out to that system. If there is no dial-out, then do the following:
See the preceding subsection "Creating a tty" in this section.
See the subsection "Configuring the modem" in the preceding section.
See the subsection "Setting up PPP in SMIT" in the preceding section.
Fill in the number of demand connections. For example, in the case of a modem being used for a demand connection, and no server or client connections, configure 0 server, 0 client, and 1 demand connection.
smit ppp PPP IP interfaces Add a demand interface Local IP address [] Starting Remote IP address [] Demand Command [] Netmask []
Fill in the Local IP address (the IP address of the PPP interface on the system being configured) and the IP address to assign to the remote system. Leave the Demand Command field blank.
In order to start PPP on the target system, a PPP user must exist on that system. The .profile of this PPP user invokes the pppattachd command which starts PPP.
mkuser USERNAME (or use smit mkuser) passwd USERNAME (assign the user a password) pwdadm -f NOCHECK USER_NAME
export PPP_DEMAND_NET=## exec /usr/sbin/pppattachd demand
The user will be assigned the address of the remote system PPP interface. For example, append the following:
export PPP_DEMAND_NET=0 exec /usr/sbin/pppattachd demand
In this case, the user logging in will be assigned the IP address of the network interface pp0 on the remote system (see the output of ifconfig pp0).
For more information and additional configuration options, see the man pages for pppattachd.
See the preceding subsection "Troubleshooting: What to do before calling AIX support" in this section.
The user ID and password used in PAP are not those used to log in to an AIX system but are used in a single instance following the start of PPP. In AIX, passwords used in PAP are stored in the /etc/ppp/pap-secrets file as viewable text and are transmitted in UN-encrypted form. When the authenticator finds a match between the user ID and password sent by a peer and an existing user ID and password in the pap-secrets file, the peer has been authenticated.
The authenticator can be the calling system (client) or the system that is being called (server), or both systems can perform authentication. The authenticator receives the user ID and password from the client or server (the peer) and seeks a match in its pap-secrets file to determine whether a connection should be allowed.
To configure an authenticator, execute the following:
smit ppp
Select:
PAP Authentication
Then:
Add a user User name [] Remote host name [*] Password []
USER NAME: This is the name to be received by the authenticator from the peer requesting a connection. An asterisk in the User name field will provide a match for any user name sent by a peer (that is, it makes valid any user name proffered to the authenticator).
REMOTE HOST NAME: This is the peer's hostname sent by the peer and received by the authenticator. It is verified by the authenticating host by finding a match in its /etc/ppp/pap-secrets file. Leaving the default asterisk allows the PAP user to connect from any system. In many PAP implementations the hostname is not sent during PAP negotiation.
PASSWORD: This is the password to be sent by the peer. It must be the password for the user name with which it was sent and must exist with this association in the pap-secrets file of the authenticating host before a connection will be granted by that host.
Client (dial-out) authenticator
Where the PPP client (the system from which the user is dialing out) is to act as the PAP authenticator, modify the pppattachd command by adding authenticate pap:
/usr/sbin/pppattachd client /dev/tty0 authenticate pap \ connect "/usr/sbin/pppdial -t -v CHAT_SCRIPT_FILE"
See the subsection "Dialing out" in the preceding section "Setting up AIX as a PPP client (outgoing calls)".
Server (dial-in) authenticator>
Where the PPP server (the system into which the user is dialing) is to act as the PAP authenticator, modify the pppattachd command in the PPP user's .profile thus:
exec /usr/sbin/pppattachd server authenticate pap 2>/dev/null
See the subsection "Creating a PPP user" in the preceding section "Setting up AIX as a PPP server (incoming calls)".
The system that sends a PAP user name and password to the PAP authenticator for verification is a peer.
To configure a PAP peer execute the following:
smit ppp
Select:
PAP Authentication
Then:
Add a user User name [] Remote host name [*] Password []
USER NAME: This is the name for the peer to send to the authenticator. It must exist on the authenticating host before that host will grant a connection. An asterisk in the User name field will be validated by the authenticator regardless of the actual user name (that is, it makes valid any user name proffered to the authenticator). The user name is specified by the peer in the pppattachd command, and the corresponding password is taken from the peer's /etc/ppp/pap-secrets file.
REMOTE HOST NAME: This is the hostname of the authenticator. (The name added to the /etc/ppp/pap-secrets file.)
PASSWORD: This is the password for the user name sent to the authenticating host. For authentication to succeed, the password must match the password given for the user on the authenticator.
If AIX is a PPP client dialing out to a PPP server (see the subsection "Dialing out" in the preceding section "Setting up AIX as a PPP client (outgoing calls)"), and this AIX client is a PAP peer, and the remote system is the PAP authenticator, then supply the keyword pap as well as the user name and password on the pppattachd command line:
/usr/sbin/pppattachd client /dev/tty0 peer pap user USER_NAME \ connect "/usr/sbin/pppdial -v -f CHAT_SCRIPT_FILE
CHAT_SCRIPT_FILE is the chat script created in the subsection "Chat scripts" of the preceding section "Setting up AIX as a PPP client (outgoing calls)".
If AIX is a PPP server (that is, if it receives incoming calls) and the client (the calling system) is the PAP authenticator, then the following line must appear in the PPP user .profile on the PPP server (see the subsection "Creating a PPP user" in the preceding section "Setting up AIX as a PPP server (incoming calls)"):
exec /usr/sbin/pppattach server peer pap user USER_NAME 2>/dev/null
USER_NAME is the PAP user configured on both the peer and authenticator.
Challenge Handshake Authentication Protocol (CHAP) is a more secure means of PPP authentication. Unlike PAP, where authentication occurs at the beginning of the connection and only once, in CHAP the authenticator may issue a challenge to the peer at any time during the connection. The peer's reply is encrypted before transmission and changes depending on the challenge from the authenticator.
NOTE: Microsoft uses a CHAP algorithm that differs from that of AIX. The Windows 95 / Windows NT CHAP protocol is incompatible with AIX.
The CHAP authenticator is the system that issues challenges to the peer. If the peer has the correct password, it can combine the challenge from the authenticator and the correct CHAP secret to formulate the correct response to the challenge.
To configure a CHAP authenticator, execute the following:
smit ppp
Select:
CHAP authentication
Then:
Add a user Peer name [] Authenticator name [] Password []
PEER NAME: This is the peer's PPP SUBSYSTEM NAME to be received by the authenticator. It is stored by the authenticator in its /etc/ppp/chap-secrets file. An asterisk in lieu of a name will result in the authentication of any name received by the authenticator.
AUTHENTICATOR NAME: This is the PPP SUBSYSTEM NAME of the authenticatiing host.
PASSWORD: This is the password to be received from the peer.
If AIX is a PPP client dialing out to a PPP server (see the subsection "Dialing out" in the preceding section "Setting up AIX as a PPP client (outgoing calls)"), and this AIX client is a CHAP authenticator, then include authenticate chap in the pppattachd command. For example:
/usr/sbin/pppattachd client tty0 authenticate chap connect \ "/usr/sbin/pppdial -v -f CHAT_SCRIPT_FILE"
CHAT_SCRIPT_FILE is the chat script created in the subsection "Chat scripts" of the preceding section "Setting up AIX as a PPP client (outgoing calls)".
If AIX is a PPP server (that is, if it receives incoming calls) and this AIX server is a CHAP authenticator, then include in its pppuser .profile (see the subsection "Creating a PPP user" in the preceding section "Setting up AIX as a PPP server (incoming calls)") the keywords authenticate chap:
exec /usr/sbin/pppattachd server authenticate chap 2>/dev/null
The CHAP peer is the system that the authenticator challenges to supply a correct response. The authenticator typically challenges the peer at a regular interval (see the CHAP interval setting in smit under the link control configuration).
To configure a CHAP peer, execute the following:
smit ppp
Select:
CHAP authentication
Then:
Add a user Peer name [] Authenticator name [] Password []
PEER NAME: This is the peer's PPP SUBSYSTEM NAME which will be sent to the authenticator.
AUTHENTICATOR NAME: This is the PPP SUBSYSTEM NAME of the authenticating host, that is, of that host that will challenge the peer to provide the password.
PASSWORD: This is the password to be sent by the peer to the authenticator. It must match the password stored by the authenticator in order for CHAP to succeed.
If AIX is a PPP client dialing out to a PPP server (see the subsection "Dialing out" in the preceding section "Setting up AIX as a PPP client (outgoing calls)"), and this AIX client is a CHAP peer, and the remote system is the CHAP authenticator, then supply the keywords peer chap in the pppattachd command:
/usr/sbin/pppattachd client tty0 peer chap connect \ "/usr/sbin/pppdial -v -f CHAT_SCRIPT_FILE"
CHAT_SCRIPT_FILE is the chat script created in the subsection "Chat scripts" of the preceding section "Setting up AIX as a PPP client (outgoing calls)".
If AIX is a PPP server (that is, if it receives incoming calls) (see the subsection "Creating a PPP user" in the preceding section "Setting up AIX as a PPP server (incoming calls)") then the following line must appear in the PPP server pppuser .profile:
exec /usr/sbin/pppattachd server peer chap 2>/dev/null
[ Doc Ref: 90605195914810 Publish Date: Aug. 09, 2000 4FAX Ref: 8178 ]