Jan
13

In this post, we will examine PAP and CHAP forms of PPP authentication. The emphasis here will be on the fact that these technologies are one-way in nature. So many of my CCIE-level students believe that they must be configured in a bidirectional configuration. I guess this is because it is what traditional Cisco classes always demonstrate at the CCNA and CCNP levels.

OK – I have pre-configured two routers, R1 and R2, they are connected by their Serial 0/0 interfaces. Let us begin with R1 as a PPP PAP server, and the R2 device as the PPP PAP client. If you ALWAYS think of these technologies (PAP and CHAP) in terms of CLIENT and SERVER commands, you will be in excellent shape.

Let us begin with R1 playing the role of a PAP server and R2 playing the role of a PAP client. In other words, R1 will be the device that requires authentication, and R2 will be the device that must respond with the correct authentication information.

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#username ROUTER2 password cisco
R1(config)#int s0/0
R1(config-if)#encapsulation ppp
*Mar  1 00:04:47.359: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
R1(config-if)#ppp authentication pap
R1(config-if)#end

Here is the configuration of the PAP client:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int s0/0
R2(config-if)#encapsulation ppp
R2(config-if)#ppp pap sent-username ROUTER2 password cisco
R2(config-if)#end
R2#
*Mar  1 00:08:40.539: %SYS-5-CONFIG_I: Configured from console by console
R2#
*Mar  1 00:08:41.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R2#

Study these server and client commands above carefully. Also, notice how the moment the correct commands are entered on the client, the link is established.

Now it is time to review the CHAP configuration. We will have the R2 device serve as the CHAP server and the R1 device function as the CHAP client. First the R2 CHAP server commands:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#username R1 password cisco
R2(config)#int s0/0
R2(config-if)#ppp authentication chap
R2(config-if)#
*Mar  1 00:14:06.407: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
R2(config-if)#end
R2#

Now the CHAP client configuration on R1:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#username R2 password cisco
R1(config)#
*Mar  1 00:16:43.983: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R1(config)#

Notice that once the matching shared secret password of cisco is placed on the client system, the link is restored.

Enjoy your CCNA studies here at INE!


You can leave a response, or trackback from your own site.

5 Responses to “CCNA: PPP Authentication Review”

 
  1. Good explanation!! As always!!! :)

  2. Zabeel Musa says:

    Not studying my CCNA but an excellent write up. Like you said even i thought it was bidirectional as per past studying in ccna/ccnp. All these review truly do help now studying for Lab. Keep up the great work!

  3. CCIE Pilot says:

    Hi,

    Can you write up also for ms-chap, ms-chap-v2 and eap? Thank you.

    Rack1R3(config-if)#ppp authentication ?
    chap Challenge Handshake Authentication Protocol (CHAP)
    eap Extensible Authentication Protocol (EAP)
    ms-chap Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
    ms-chap-v2 Microsoft CHAP Version 2 (MS-CHAP-V2)
    pap Password Authentication Protocol (PAP)

    Rack1R3(config-if)#

  4. MCL.Nicolas says:

    Hey.

    I think I already know the answer to the question I’m going to ask but I prefer to be sure :)
    What if you use the command username R2 secret 0 cisco ?
    I think CHAP won’t be able to authenticate the remote peer right ?

    Because CHAP requires type 7 password (reversible password) to use with the challenge right ?

    Thanks for your precious answers

  5. Nadeem Rafi says:

    I agreed with the idea of server and client. It helped me a lot to clear few points.
    Thanks once again….

 

Leave a Reply

Categories

CCIE Bloggers