From CCIE Study Wiki

Theory

• Authentication for PPP utilizes either the CHAP or PAP protocol. Both of these protocols require the connecting routers to provide a name (either a username or the device's hostname) and password for authentication. Either a locally defined password or AAA can be used.

• PAP is a simple reply/request authentication protocol. It sends its data in clear-text, so it is not very secure.

• CHAP does not send its results clear text, and never actually sends the password across the line. Instead, an encryption computation is performed on the password and that result is sent.

• To enable either CHAP or PAP you must make sure PPP encapsulation is enabled on the interface, enable either CHAP or PAP, and configure the caller username and password.

Commands

• ppp authentication {chap | chap pap | pap chap | pap} [if-needed] [list-name | default] (interface) - Enables PPP authentication. The if-needed keyword can ONLY be used with TACACS authentication, and the list-name keyword CANNOT be used with TACACS authentication.
• username name password secret (interface) - Sets the username and password to be used with PPP authentication.
• ppp use-tacacs [single-line] (interface) OR aaa authentication ppp - Configures the PPP session to use TACACS for authentication

Default Settings

• Nothing listed yet

Verification

• debug ppp negotiations
• debug ppp packets

Troubleshooting, Tips, and Tricks

• Nothing listed yet

Online Resources

• Configuring PPP from the Cisco IOS dial technologies configuration guide.

• Brian McGahan at Internetwork Expert explains to us how the PPP chap password command functions.

• Configuring PPP authentication from Caue of Cisco Network Engineer.

• CCIE To Be shows us how to configure PPP with MD5 authentication.

• Sesano shares some info on one-way PPP authentication he came across.

• Networkers Online has articles on PPP Authentication (PAP) and PPP Authentication (CHAP).

Have something to contribute? See a mistake on this page? Have a hint or a link to share?
The CCIE Study Wiki is open to everyone to edit! All you need to do is to create an account to start contributing.
Please be sure to follow our posting guidelines when editing the wiki.

Maybe you have just have some thoughts or suggestions for this entry?
Use the Discussion link on the top or bottom menu to create or join the CCIE forum post on this topic.
You can also go straight to the CCIE Forums and start a new discussion in the forum of your choice.

If you'd rather just contact us with your thoughts, we'd love to hear what you have to say.