Answers: PAP 2
Unidirectional PAP authentication – sounds like a lot to do, but it just takes a few commands. Check out the requirements back in the lab post, create your answers, and come back here to check your work.
Answers
Figure 1: Two Routers with IP Subnets
Example 3: R1 Config
|
1 2 3 4 5 6 |
username ciscouser secret cisco ! interface Serial0/0/0 ip address 192.100.120.1 255.255.255.240 encapsulation ppp ppp authentication pap |
Example 4: R2 Config
|
1 2 3 4 |
interface Serial0/0/1 ip address 192.100.120.14 255.255.255.240 encapsulation ppp ppp pap sent-username ciscouser password cisco |
Commentary
One of the primary reasons that engineers prefer to select the Point to Point Protocol (PPP) over High-Level Data Link Control (HDLC) is that it supports authentication. Specifically, it supports two different PPP authentication protocols: Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).
PAP offers both a unidirectional authentication method and a bidirectional authentication method, both of which use a simple username/password combination. Unfortunately, PAP also transmits this information over the line in cleartext. This is the reason that engineers typically select CHAP. CHAP provides a bidirectional authentication method that also utilizes a username/password combination, but instead of transmitting this information over the line in cleartext it takes advantage of MD5 hashing; when using this method, only a calculated hash is ever sent over the line.
The example begins with no IP addresses configured on the serial interfaces. So, the first few steps require the ip address command on each router’s serial interface, to match the figure, plus the encapsulation ppp command to enable PPP on both ends of the link.
For unidirectional PAP authentication on a leased line, the configuration differs for the router being authenticated (R2 in this case, acting as the PAP client), and the authenticating router (R1 in this case, acting as the PAP server). The server (R1) needs to be configured with the ppp authentication pap command, which tells R1 to act as a server and expect a username/password to arrive on this interface, and a username global command, that defines that username/password. (Check out the figure showing the requirements and flow in the ICND2 Cert Guide.) The client (R2 in this case) does not use either of those commands, instead using the subcommand ppp pap sent-username ciscouser password cisco on the serial interface, telling R2 to act as a PAP client and to send this particular username/password pair.
I had a little trouble getting this to work following your book since it doesn’t mention how
ppp authentication papis required on the interface receiving the authentication attempt. This is a great lab / blog post to demonstrate it though, thank you!Sure thing! Glad you enjoy these – I know I like working on them!