PPP Negotiating PAP Authentication


© 2004 Cisco Systems, In

If you have decided to use an authentication protocol, it will likely be PAP or CHAP. PAP is a one-way authentication between a host and a router or a two-way authentication between routers. With PAP, this process provides an insecure authentication method.

When using PAP, the remote host is in control of the frequency and timing of login requests. This situation is undesirable because the router or access server must respond to all login requests, even the repeated attempts of a hacker to guess a username and password combination. (This is known as a brute force attack.) PAP also sends passwords as cleartext over the media, which means that a strategically placed packet sniffer could capture and easily decode the password.

For more secure access control, use CHAP instead of PAP as the authentication method. You should use PAP only when you find that hosts running legacy software may not support CHAP. In this case, PAP is your only authentication option.

Always configure asynchronous lines to require authentication. PPP gives you the option of requiring that callers authenticate using one of two authentication protocols, PAP or CHAP. However, if you are using PPP over a point-to-point leased line, authentication is unnecessary and should not be configured.

Note Most Internet service providers (ISPs) use PAP and CHAP because of the relative management ease and the reduced number of support calls.

PAP Configuration Example

This topic describes how to configure PAP authentication on a Cisco router.

PAP Configuration Example

© 2004 Cisco Systems, Ir

In the figure shown, two routers, RouterA and RouterB, are connected across a network.

Perform the following steps to configure PAP authentication:

Step 1 On each of the interfaces, specify encapsulation ppp.

Step 2 Enable the use of PAP authentication with the ppp authentication pap command.

Step 3 Configure the router with a local username and password database, using the global configuration command username username password password, or point it to a network host that has that information (such as a TACACS+ server). The username and password must match the username and password in the remote router ppp pap sent-username command.

Step 4 Configure the router with the ppp pap sent-username command, which must match the username username password password statement on the remote host or router. Note that in the RouterA configuration, the ppp pap sent-username command is used to specify the username and password information to send in the event that it dials RouterB and is asked to authenticate. RouterB is also configured to send a username and password for PAP, if challenged. The name included with the username and dialer map commands is case sensitive. If the remote host name is RouterA and you create a username entry for rta instead, authentication will fail.

Step 5 Configure IP addresses on the interfaces.

Step 6 To ensure that both systems can communicate properly, configure the dialer-map command lines for each router. If each router is configured with a dialer-map command, each system will know what to do with authentication issues because the systems will have prior knowledge of each other. The dialer-map command also contains the telephone number to dial to reach the specified router.

0 0

Post a comment