Kevin, here is my idea for solving the conflict bewteen APD and doing
PAP-based PPP authentication.  Please send this on to Doug Potter and
Mike Hennessy, and ask them to contact me with their feedback,
especially any details on any implementation issues.

Basically we need to reverse the order of protocol detection and
authentication.  To do that, I'd suggest having you customized ARAP
CCLs provide a flag to the server upon connection, identifying the
connection as ARAP out-of-band.  Then, for ARAP connections, you can
continue with the out-of-band authentication as you do now.  PPP
connections can be identified by the same mechanism you use now, and
now can use PAP for authentication.  Interactive sessions would still
need to provide a few carriage returns, and would then get the
username/password prompt.  (Note that if PPP is started from an
interactive session, no PAP authentication should be performed as the
user is already authenticated.)

When I mentioned this scheme to Mike during our phone discussion on
May 30th, we made a comment about not thinking the CCLs were up to
this.  However, as you are already demonstraiting the capibility to
send strings across the link before ARAP starts up, it appears that
your CCLs can in fact operate as above.  And as you are already
distributing customized CCLs, making one more change to them and
requiring their use for APD users would not appear to be a problem.

Awaiting your comments,
-Chris Murphy