Pulse:Stay updated, Stay Relevant

Pulse helps network engineers like you stay updated with the networking industry news everyday for FREE

Pulse: All the updates you need to know in one place

Stay relevant with the information that you need to know about the networking market for FREE

MegaSh: Never forget a command again

150+ *nix Cheatsheets in one page to give your super powers :)

How-to: Configure PPP authentication Part1 (PAP)

PPP has two different authentication methods, in today's post we are going to explore the first method which is PAP.

PAP stands for Password Authentication Protocol which is a simple authentication method. PAP is considered an insecure method because the password is sent in clear text format over the PPP link and has no protection to replay and brute force attacks.

How PAP works?

During the LCP phase both ends can negotiate the use of specific authentication protocol; if it was successful and LCP is completed a series of authentication messages are exchanged to identify the remote end.

In our example R1 will request R2 to authenticate itself, if R2 agrees to the request it will send both a username and a password to R1. R1 will check the credentials received from R2 against one of its configured username and passwords pairs or AAA servers, if a match exist the authentication phase is completed successfully and the routers start NCP negotiations.

R1 and R2 configuration:

R1(config)#username ROUTER2 password CISCO
R1(config)#int s1/1
R1(config-if)#encap ppp
R1(config-if)#ppp authentication pap

!---- Router2 configuration---

R2(config)#int s1/2
R2(config-if)#encap ppp
R2(config-if)#ppp pap sent-username ROUTER2 password CISCO

Operation verfication

Output of debug ppp negotiation on R1:

!-- LCP is negotiating PAP protocol

*Mar  3 00:06:16.868: Se1/1 LCP: O CONFREQ [Closed] id 131 len 14
*Mar  3 00:06:16.868: Se1/1 LCP:    AuthProto PAP (0x0304C023)
*Mar  3 00:06:16.872: Se1/1 LCP:    MagicNumber 0x0A5F39F9 (0x05060A5F39F9)
*Mar  3 00:06:17.240: Se1/1 LCP: I CONFREQ [REQsent] id 175 len 10
*Mar  3 00:06:17.240: Se1/1 LCP:    MagicNumber 0x0717965F (0x05060717965F)
*Mar  3 00:06:17.244: Se1/1 LCP: O CONFACK [REQsent] id 175 len 10
*Mar  3 00:06:17.248: Se1/1 LCP:    MagicNumber 0x0717965F (0x05060717965F)
*Mar  3 00:06:17.252: Se1/1 LCP: I CONFACK [ACKsent] id 131 len 14
*Mar  3 00:06:17.256: Se1/1 LCP:    AuthProto PAP (0x0304C023)
*Mar  3 00:06:17.256: Se1/1 LCP:    MagicNumber 0x0A5F39F9 (0x05060A5F39F9)
*Mar  3 00:06:17.260: Se1/1 LCP: State is Open

 !-- Authentication Phase Begins

*Mar  3 00:06:17.260: Se1/1 PPP: Phase is AUTHENTICATING, by this end
*Mar  3 00:06:17.532: Se1/1 PAP: I AUTH-REQ id 2 len 18 from "ROUTER2"
*Mar  3 00:06:17.536: Se1/1 PAP: Authenticating peer ROUTER2
*Mar  3 00:06:17.536: Se1/1 PPP: Phase is FORWARDING, Attempting Forward
*Mar  3 00:06:17.544: Se1/1 PPP: Phase is AUTHENTICATING, Unauthenticated User
*Mar  3 00:06:17.556: Se1/1 PPP: Phase is FORWARDING, Attempting Forward
*Mar  3 00:06:17.564: Se1/1 PPP: Phase is AUTHENTICATING, Authenticated User
*Mar  3 00:06:17.580: Se1/1 PAP: O AUTH-ACK id 2 len 5
*Mar  3 00:06:17.584: Se1/1 PPP: Phase is UP

Note: R2 may refuse to use PAP for authentication using the command ppp pap refuse. find below debug output from R1 after applying this command or R2

*Mar  3 00:26:40.251: Se1/1 LCP: O CONFREQ [ACKsent] id 153 len 14
*Mar  3 00:26:40.251: Se1/1 LCP:    AuthProto PAP (0x0304C023)
*Mar  3 00:26:40.251: Se1/1 LCP:    MagicNumber 0x0A71E3C5 (0x05060A71E3C5)
*Mar  3 00:26:40.271: Se1/1 LCP: I CONFREJ [ACKsent] id 153 len 8
*Mar  3 00:26:40.275: Se1/1 LCP:    AuthProto PAP (0x0304C023)

You might also like

- Stay on top of AI tools
- 150+ Linux Devops cheatsheets in one page
- Fast Convergence: Partial SPF calculation
- Few ways scripting can keep you sane
- How-to:Configure BGP aggregation Part1

Check Also

Best AI tools list