I'd like to make sure that I understand how the name/secret lookup is
managed on each end.
My understanding is as follows: (MSE = Morningstar Express)
- MSE sends PM a CHAP challenge containing a unique challenge string
and the MSE's name.
- The PM looks up the supplied name in its user table (or via Radius)
to obtain the shared secret.
- The PM uses the secret to encrypt the challenge string and sends a
CHAP response to the MSE containing the encrypted string and the PM's
name.
- The MSE looks up the supplied PM's name in its own "password/secret"
database and validates.
Both devices, of course, contain the same secret. However, it seems
that the secret would be associated with the MSE's name in the PM's
database and with the PM's name in the MSE's database. Correct?
If so, it seems that one router's system name needs to be suitable as
a user name on all other routers that it might call. This means that
assigning routers generic names such as "pm", "cisco, or "annex" would
be a bad idea. It also implies that router names might need to follow
any user name restrictions of other routers (character set and length).
What got me thinking about this is the MSE's name is "outsideline"
which is both a poor identifier for that site as well as longer than
the eight character user name limit of the Portmaster!
Is my understanding of CHAP name/secret management correct and my
conclusions about router naming reasonable?
--Bill