How-to: Configure PPP authentication Part1 (PAP)
PPP has two different authentication methods, in today's post we are going to explore the first method which is PAP.
PAP stands for Password Authentication Protocol which is a simple authentication method. PAP is considered an insecure method because the password is sent in clear text format over the PPP link and has no protection to replay and brute force attacks.
How PAP works?
During the LCP phase both ends can negotiate the use of specific authentication protocol; if it was successful and LCP is completed a series of authentication messages are exchanged to identify the remote end.
In our example R1 will request R2 to authenticate itself, if R2 agrees to the request it will send both a username and a password to R1. R1 will check the credentials received from R2 against one of its configured username and passwords pairs or AAA servers, if a match exist the authentication phase is completed successfully and the routers start NCP negotiations.
R1 and R2 configuration:
R1(config)#username ROUTER2 password CISCO R1(config)#int s1/1 R1(config-if)#encap ppp R1(config-if)#ppp authentication pap !---- Router2 configuration--- R2(config)#int s1/2 R2(config-if)#encap ppp R2(config-if)#ppp pap sent-username ROUTER2 password CISCO
Operation verfication
Output of debug ppp negotiation on R1:
!-- LCP is negotiating PAP protocol *Mar 3 00:06:16.868: Se1/1 LCP: O CONFREQ [Closed] id 131 len 14 *Mar 3 00:06:16.868: Se1/1 LCP: AuthProto PAP (0x0304C023) *Mar 3 00:06:16.872: Se1/1 LCP: MagicNumber 0x0A5F39F9 (0x05060A5F39F9) *Mar 3 00:06:17.240: Se1/1 LCP: I CONFREQ [REQsent] id 175 len 10 *Mar 3 00:06:17.240: Se1/1 LCP: MagicNumber 0x0717965F (0x05060717965F) *Mar 3 00:06:17.244: Se1/1 LCP: O CONFACK [REQsent] id 175 len 10 *Mar 3 00:06:17.248: Se1/1 LCP: MagicNumber 0x0717965F (0x05060717965F) *Mar 3 00:06:17.252: Se1/1 LCP: I CONFACK [ACKsent] id 131 len 14 *Mar 3 00:06:17.256: Se1/1 LCP: AuthProto PAP (0x0304C023) *Mar 3 00:06:17.256: Se1/1 LCP: MagicNumber 0x0A5F39F9 (0x05060A5F39F9) *Mar 3 00:06:17.260: Se1/1 LCP: State is Open !-- Authentication Phase Begins *Mar 3 00:06:17.260: Se1/1 PPP: Phase is AUTHENTICATING, by this end *Mar 3 00:06:17.532: Se1/1 PAP: I AUTH-REQ id 2 len 18 from "ROUTER2" *Mar 3 00:06:17.536: Se1/1 PAP: Authenticating peer ROUTER2 *Mar 3 00:06:17.536: Se1/1 PPP: Phase is FORWARDING, Attempting Forward *Mar 3 00:06:17.544: Se1/1 PPP: Phase is AUTHENTICATING, Unauthenticated User *Mar 3 00:06:17.556: Se1/1 PPP: Phase is FORWARDING, Attempting Forward *Mar 3 00:06:17.564: Se1/1 PPP: Phase is AUTHENTICATING, Authenticated User *Mar 3 00:06:17.580: Se1/1 PAP: O AUTH-ACK id 2 len 5 *Mar 3 00:06:17.584: Se1/1 PPP: Phase is UP
Note: R2 may refuse to use PAP for authentication using the command ppp pap refuse. find below debug output from R1 after applying this command or R2
*Mar 3 00:26:40.251: Se1/1 LCP: O CONFREQ [ACKsent] id 153 len 14 *Mar 3 00:26:40.251: Se1/1 LCP: AuthProto PAP (0x0304C023) *Mar 3 00:26:40.251: Se1/1 LCP: MagicNumber 0x0A71E3C5 (0x05060A71E3C5) *Mar 3 00:26:40.271: Se1/1 LCP: I CONFREJ [ACKsent] id 153 len 8 *Mar 3 00:26:40.275: Se1/1 LCP: AuthProto PAP (0x0304C023)