Cisco routers support two main authentication methods on PPP links – PAP and CHAP. One benefit of configuring PPP authentication is that it allows routers to be sure of the identity of the router at the other end of a link. PPP authentication is optional, and is often not configured on dedicated PPP links like leased lines. Recall, however, that PPP is the standard protocol used for dial-up connections. As such, a company might configure a demand-dial connection (using modems or ISDN) between two locations. In such a case, using PPP authentication would be a very good idea, in order to verify the identity of a router attempting to make a connection.
Although two authentication choices exist for PPP connections, you should make a point of avoiding the Password Authentication Protocol (PAP). PAP sends username and password information across a link in plain text, meaning that this information could be captured and read by a protocol analyzer like Ethereal or Sniffer.
A much better choice for PPP authentication is the Challenge Handshake Authentication Protocol (CHAP). CHAP uses a “challenge” technique to authenticate hosts, rather than requiring that username and password information be passed along with a connection request. This makes it a much more secure authentication method. The process begins with the authenticating router sending out a challenge request. When received by the router who initiated the connection, it will calculate a value for the challenge using a one-way MD-5 hash function, with the configured password as its input (you’ll look at configuration shortly). This hashed value will be sent back to the authenticating router. If that router has calculated the same hash value, the remote router will be successfully authenticated, and the connection is permitted. CHAP also supports mutual authentication, allowing routers at either end of a PPP connection to authenticate each other.
The configuration of PAP or CHAP requires that both routers be configured with a hostname, as well as an appropriate username and password combination for authentication purposes. The network used in this example is illustrated in the figure below.
Both routers need to be configured properly in order for PPP authentication to work. For example, the username specified on the Toronto router should be the hostname of the connecting router (Accra in this case), and the passwords for both systems must be identical. The configuration of Toronto router would be as follows:
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname toronto
toronto(config)#username accra password ppp-is-fun
Similar steps need to be taken on the Accra router, although the username specified this time would be Toronto.
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname accra
accra(config)#username toronto password ppp-is-fun
After these steps have been completed, an authentication mechanism needs to be specified on the appropriate PPP interfaces. For example, the configuration of CHAP on the Toronto router’s S0 interface would be:
toronto(config)#int s0
toronto(config-if)#ppp authentication chap
Similarly, the configuration of CHAP on the Accra router would be as follows:
accra(config)#int s1
accra(config-if)#ppp authentication chap
The command to use PAP authentication is ppp authentication pap. In cases where both methods are configured on a PPP interface, the router will attempt to use the first authentication method specified, and will only use the second in cases where the first method fails. Again, PAP authentication should generally be avoided as a security best practice.