PPP Authentication

1. PAP
Password Authentication Protocol (PAP) sends the username and password over the ISDN link in clear-text. Sending any passwords over any WAN link in clear-text is generally a bad idea, but it's important to know you have this option.
Regarding both PAP and CHAP, it's a common misunderstanding that each side must authenticate the other. PAP and CHAP both support bidirectional and unidirectional authentication; that is, R1 can authenticate R2 without R2 necessarily authenticating R1. It's more common to use unidirectional authentication in a lab environment than a production network, but keep in mind that bidirectional authentication is an option, not a requirement.
The configurations of PAP and CHAP do have their similarities. For both, you'll configure a username/password combination in global configuration mode. Newcomers to ISDN sometimes put the local router name in for the username; remember that the remote router name is the username.
The only real advantage of PAP over CHAP comes in the password configuration. Since PAP actually sends the password as a whole over the link, the two routers can send different passwords during authentication. The operation of CHAP requires that both routers use the same password, and we'll see why in tomorrow's article.

R1:
username R2 password CISCO
Int bri0
encapsulation ppp
ppp authentication pap

PAP requires an extra command at this point. The ppp pap sent-username command is required under the interface, indicating the username and password this router will be sending to the remote router.
R2:
Int bri0
encapsulation ppp
ppp pap sent-username R2 password CISCO




2. Chap
Unlike PAP, CHAP does not actually send a password over the line. Instead, a hash value made up of the password and magic number is sent. Unless the hash matches from both authenticating parties, authentication is not successful.

By default, the router sends it’s hostname for authentication when using chap. The router on the other side does a lookup in its local database, radius server, or tacacs server, and finds the password that is paired with that username. If there is no matching username in the database, the password specified with the interface level command ‘ppp chap password’ is used as the default password.

Here is the basic configuration for CHAP. This is one way authentication.
R1:
username Router2 password CISCO
int ser 1/0
encap ppp
ppp authentication chap

R2:
username R1 password CISCO
int ser 1/0
encap ppp
ppp chap hostname Router2 // match the user database in R1