PAP One Way Cont

CiGco.com

Specifies One-way Authentication

R4(config)# interface bri0/0 R4(config-if)# encapsulation ppp . R4(config-if)ftf^p^authentication pap callin |

R4 password matchingpassj

Credentials Used to Authenticate to Router

© 2001, Cisco Systems, Inc. All rights reserved.

Cisco CCIE Prep v1.0—Module 3-33

Examine the configuration for R4 (the client). This router needs to produce identification in order to gain access to resources beyond R1 (the server).

PAP requires Point-to-Point Protocol (PPP) encapsulation, which is specified first. Next, issue the command ppp authentication pap callin, which specifies PAP as the authentication method. The callin keyword specifies a one-way authentication scenario, which means R4 (the client) will not request that R1 (the server) authenticate itself.

Finally, the credentials R4 will use to authenticate to R1 are supplied. This is accomplished with the command ppp pap sent-username R4 password matchingpass. This statement permits outbound authentication from this client, by sending a PAP AUTH-REQ packet to R1 with the username R4 and the password matchingpass. Remember, the server (R1) must have this exact username/password in its local database in order for authentication to succeed.

Populates Local Database With Client Identification Parameters

R1(config)# username R4 password matchingpass R1(config)# interface bri0/0 R1(config-if)# encapsulation ppp R1(config-if)# ppp authentication pap

© 2001, Cisco Systems, Inc. All rights resi

Cisco CCIE Prep v1.0—Module 3-M

Now, take a look at Rl's (the server's) configuration. First, populate the local database with the identification parameters used by the client (R4). This is performed using the command username R4 password matchingpass. It is important to note that you could have chosen any username/password combination. The only stipulation is they must match on the client and server.

Next, enable PPP encapsulation and specify that PAP will be the authentication method. Since Rl (the server) will not authenticate itself to any client, no further configuration is needed.

R4(config)# username USERD password USERDPASS R4(config)# interface bri0/0 R4(config-if)# encapsulation ppp R4(config-if)# ppp authentication pap

R4(config-if)# ppp pap sent-username USERB password USERBPASS

Rl(config)# username USERB password USERBPASS Rl(config)# interface bri0/0 Rl(config-if)# encapsulation ppp Rl(config-if)# ppp authentication pap

Rl(config-if)# ppp pap sent-username USERD password USERDPASS

\

ISDN j

© 2001, Cisco Systems, Inc. All rights reserved.

Cisco CCIE Prep v1.0—Module 3-35

Next, take a look at two-way PAP authentication. In this example, both R4 and R1 will perform both the client and server functions. They will each provide identification (client) and request identification (server) for mutual authentication.

PAP Two-Way (Cont.)

Populates Local Database With Client Identification Parameters

,-1-,

R4(config)# username USERD password USERDPASS

R4(config)# interface bri0/0 R4(config-if)# encapsulation ppp

R4(config-if)# ppp authentication pap

R4(config-if)# ppp pap sent-username USERB password USERBPASS

Credentials Used to Authenticate to R'

Populates Local Database with Client

Identification Parameters ,-"-,

R1(config)# username USERB password USERBPASS R1(config)# interface bri0/0 R1(config-if)# encapsulation ppp R1(config-if)# ppp authentication pap

R1(config-if)#|pp |

Credentials Used to Authenticate to R4

© 2001, Cisco Systems, Inc. All rights reserved. Cisco CCIE Prep v1.0—M

dule 3-36

Looking at R4's configuration, you can see the local database has been populated with parameters R1 will supply as its identification. This is for the server portion of its configuration.

Next, enable PPP encapsulation, then specify the PAP authentication requirement with the command ppp authentication pap. Notice the keyword callin has been removed. The keyword callin is only used for one-way authentication.

Finally, R4 is supplied with the credentials it will use to authenticate to R1. This is accomplished with the command ppp pap sent-username USERB password USERBPASS. This statement permits outbound authentication from this client, by sending a PAP AUTH-REQ packet to R1 with the username USERB and the password USERBPASS. This was for the client portion of its configuration.

As you can see, you perform the same configuration on R1, using the correct username and password for its client/server configurations.

CHAP

Challenge-Handshake Authentication Protocol (CHAP) authentication is substantially more secure than PAP because of increased sophistication. Just like PAP, it can be configured in either a uni-directional or bi-directional setup.

CHAP Two-Way (Mutual) Authentication

10.0.0.1

R4(config)# username R1 password secret R4(config)# interface bri0/0

R4(config-if)# ip address 172.16.14.1 255.255.252.0 R4(config-if)# encapsulation ppp

R4(config-if)# dialer map ip 172.16.14.2 name R1 broadcast 5772222 R4(config-if)# ppp authentication chap

Two-way CHAP Authentication

10.0.0.2

Rl(config)# username R4 password secret Rl(config)# interface bri0/0

Rl(config-if)# ip address 172.16.14.2 2 55.255.252.0 Rl(config-if)# encapsulation ppp

Rl(config-if)# dialer map ip 172.16.14.1 name R4 broadcast 3442929 Rl(config-if)# ppp authentication chap

© 2001, Cisco Systems, Inc. All rights

-eserved. Cisco CCIE Prep v1.0—Module 3-32

PPP negotiation involves several steps, such as Link Control Protocol (LCP) negotiation, Authentication, and Network Control Protocol (NCP) negotiation. If the two sides cannot agree on the correct parameters, then the connection is terminated. Once the link is established, the two sides authenticate each other using the authentication protocol decided on during LCP negotiation. Authentication must be successful prior to starting NCP negotiation. Shown here is a configuration showing only the relevant parameters for CHAP two-way authentication.

Was this article helpful?

0 0

Post a comment