In this post, we will examine PAP and CHAP forms of PPP authentication. The emphasis here will be on the fact that these technologies are one-way in nature. So many of my CCIE-level students believe that they must be configured in a bidirectional configuration. I guess this is because it is what traditional Cisco classes always demonstrate at the CCNA and CCNP levels.
OK – I have pre-configured two routers, R1 and R2, they are connected by their Serial 0/0 interfaces. Let us begin with R1 as a PPP PAP server, and the R2 device as the PPP PAP client. If you ALWAYS think of these technologies (PAP and CHAP) in terms of CLIENT and SERVER commands, you will be in excellent shape.
Let us begin with R1 playing the role of a PAP server and R2 playing the role of a PAP client. In other words, R1 will be the device that requires authentication, and R2 will be the device that must respond with the correct authentication information.
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#username ROUTER2 password cisco R1(config)#int s0/0 R1(config-if)#encapsulation ppp *Mar 1 00:04:47.359: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down R1(config-if)#ppp authentication pap
Here is the configuration of the PAP client:
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#int s0/0 R2(config-if)#encapsulation ppp R2(config-if)#ppp pap sent-username ROUTER2 password cisco R2(config-if)#end R2# *Mar 1 00:08:40.539: %SYS-5-CONFIG_I: Configured from console by console R2# *Mar 1 00:08:41.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up R2#
Study these server and client commands above carefully. Also, notice how the moment the correct commands are entered on the client, the link is established.
Now it is time to review the CHAP configuration. We will have the R2 device serve as the CHAP server and the R1 device function as the CHAP client. First the R2 CHAP server commands:
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#username R1 password cisco R2(config)#int s0/0 R2(config-if)#encapsulation ppp R2(config-if)#ppp authentication chap
Now the CHAP client configuration on R1:
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. interface Serial2/0 ip address 203.3.18.1 255.255.255.252 encapsulation ppp ppp chap hostname R1 ppp chap password 0 cisco Notice that once the matching shared secret password of cisco is placed on the client system, the link is restored.
DOVICHNETWORKS 