Home » CISCO HOW-TO » How-to: Configure PPP authentication Part1 (PAP)

How-to: Configure PPP authentication Part1 (PAP)

PPP has two different authentication methods, in today’s post we are going to explore the first method which is PAP.

PAP stands for Password Authentication Protocol which is a simple authentication method. PAP is considered an insecure method because the password is sent in clear text format over the PPP link and has no protection to replay and brute force attacks.

How PAP works?

During the LCP phase both ends can negotiate the use of specific authentication protocol; if it was successful and LCP is completed a series of authentication messages are exchanged to identify the remote end.

In our example R1 will request R2 to authenticate itself, if R2 agrees to the request it will send both a username and a password to R1. R1 will check the credentials received from R2 against one of its configured username and passwords pairs or AAA servers, if a match exist the authentication phase is completed successfully and the routers start NCP negotiations.

R1 and R2 configuration:

R1(config)#username ROUTER2 password CISCO
R1(config)#int s1/1
R1(config-if)#encap ppp
R1(config-if)#ppp authentication pap

!---- Router2 configuration---

R2(config)#int s1/2
R2(config-if)#encap ppp
R2(config-if)#ppp pap sent-username ROUTER2 password CISCO

Operation verfication

Output of debug ppp negotiation on R1:

!-- LCP is negotiating PAP protocol

*Mar  3 00:06:16.868: Se1/1 LCP: O CONFREQ [Closed] id 131 len 14
*Mar  3 00:06:16.868: Se1/1 LCP:    AuthProto PAP (0x0304C023)
*Mar  3 00:06:16.872: Se1/1 LCP:    MagicNumber 0x0A5F39F9 (0x05060A5F39F9)
*Mar  3 00:06:17.240: Se1/1 LCP: I CONFREQ [REQsent] id 175 len 10
*Mar  3 00:06:17.240: Se1/1 LCP:    MagicNumber 0x0717965F (0x05060717965F)
*Mar  3 00:06:17.244: Se1/1 LCP: O CONFACK [REQsent] id 175 len 10
*Mar  3 00:06:17.248: Se1/1 LCP:    MagicNumber 0x0717965F (0x05060717965F)
*Mar  3 00:06:17.252: Se1/1 LCP: I CONFACK [ACKsent] id 131 len 14
*Mar  3 00:06:17.256: Se1/1 LCP:    AuthProto PAP (0x0304C023)
*Mar  3 00:06:17.256: Se1/1 LCP:    MagicNumber 0x0A5F39F9 (0x05060A5F39F9)
*Mar  3 00:06:17.260: Se1/1 LCP: State is Open

 !-- Authentication Phase Begins

*Mar  3 00:06:17.260: Se1/1 PPP: Phase is AUTHENTICATING, by this end
*Mar  3 00:06:17.532: Se1/1 PAP: I AUTH-REQ id 2 len 18 from "ROUTER2"
*Mar  3 00:06:17.536: Se1/1 PAP: Authenticating peer ROUTER2
*Mar  3 00:06:17.536: Se1/1 PPP: Phase is FORWARDING, Attempting Forward
*Mar  3 00:06:17.544: Se1/1 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Mar  3 00:06:17.556: Se1/1 PPP: Phase is FORWARDING, Attempting Forward
*Mar  3 00:06:17.564: Se1/1 PPP: Phase is AUTHENTICATING, Authenticated User
*Mar  3 00:06:17.580: Se1/1 PAP: O AUTH-ACK id 2 len 5
*Mar  3 00:06:17.584: Se1/1 PPP: Phase is UP

Note: R2 may refuse to use PAP for authentication using the command ppp pap refuse. find below debug output from R1 after applying this command or R2

*Mar  3 00:26:40.251: Se1/1 LCP: O CONFREQ [ACKsent] id 153 len 14
*Mar  3 00:26:40.251: Se1/1 LCP:    AuthProto PAP (0x0304C023)
*Mar  3 00:26:40.251: Se1/1 LCP:    MagicNumber 0x0A71E3C5 (0x05060A71E3C5)
*Mar  3 00:26:40.271: Se1/1 LCP: I CONFREJ [ACKsent] id 153 len 8
*Mar  3 00:26:40.275: Se1/1 LCP:    AuthProto PAP (0x0304C023)

3 comments

  1. thx..so much for example configuration.

  2. Thank you for a simple explanation

  3. I have noticed that is I specify a username on both routers, and then specify that in the sent-user on both routers, that negotiation still occurs and completes. What is the difference? When I do this, the IoS kicks out a warning that I am using a CHAP password pair and that I could be compromising security. But I am configuring it as PAP. Basically I am gathering that each end is expecting the other to authenticate, so is this like a two -way authentication using PAP, as opposed to only specifying the sent-user on one end would be one-way?

Leave a Reply

Your email address will not be published. Required fields are marked *