CCNA: PPP Authentication Review
In this post, we will examine PAP and CHAP forms of PPP authentication. The emphasis here will be on the fact that these technologies are one-way in nature. So many of my CCIE-level students believe that they must be configured in a bidirectional configuration. I guess this is because it is what traditional Cisco classes always demonstrate at the CCNA and CCNP levels.
OK - I have pre-configured two routers, R1 and R2, they are connected by their Serial 0/0 interfaces. Let us begin with R1 as a PPP PAP server, and the R2 device as the PPP PAP client. If you ALWAYS think of these technologies (PAP and CHAP) in terms of CLIENT and SERVER commands, you will be in excellent shape.
Let us begin with R1 playing the role of a PAP server and R2 playing the role of a PAP client. In other words, R1 will be the device that requires authentication, and R2 will be the device that must respond with the correct authentication information.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#username ROUTER2 password cisco
R1(config)#int s0/0
R1(config-if)#encapsulation ppp
*Mar 1 00:04:47.359: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
R1(config-if)#ppp authentication pap
R1(config-if)#end
Here is the configuration of the PAP client:
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int s0/0
R2(config-if)#encapsulation ppp
R2(config-if)#ppp pap sent-username ROUTER2 password cisco
R2(config-if)#end
R2#
*Mar 1 00:08:40.539: %SYS-5-CONFIG_I: Configured from console by console
R2#
*Mar 1 00:08:41.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R2#
Study these server and client commands above carefully. Also, notice how the moment the correct commands are entered on the client, the link is established.
Now it is time to review the CHAP configuration. We will have the R2 device serve as the CHAP server and the R1 device function as the CHAP client. First the R2 CHAP server commands:
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#username R1 password cisco
R2(config)#int s0/0
R2(config-if)#ppp authentication chap
R2(config-if)#
*Mar 1 00:14:06.407: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
R2(config-if)#end
R2#
Now the CHAP client configuration on R1:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#username R2 password cisco
R1(config)#
*Mar 1 00:16:43.983: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R1(config)#
Notice that once the matching shared secret password of cisco is placed on the client system, the link is restored.
