>Most PPP stacks I dealt with give users meaningless error messages on
>failed PAP authentication - something to the effect
>that PPP initialization failed. Apparently, NAK that PPP server
>returns on incorrect user id/password may have other meanings,
>such as desire to do CHAP.
>Is this a correct assessment ?
The system that wants to check the identity of the other system first
sends LCP Configure-Requests asking for PAP or CHAP. The other system
responds with an LCP Configure-Ack (agreeing with the requestor), a
Configure-Reject (refusing), or a Configure-Nak (suggesting an
alternative). In the second two cases, the system with the security
concern sends another Configure-Request, possibly using the alternative
suggested with the Nak. Eventually the other system must answer with
a Configure-Ack, or the concerned system must hang up the phone.
Finally, the other system sends a suitable PAP password-requests or
CHAP response to prove it knows the secret known only by the good guy.
If the secret is the wrong one, then the concerned system is supposed
to send a message to that effect and hang up the phone.
Note that things are symmetric. The other system can demand authentication
in the same way.
See RFC 1334.