Answers: PAP 2

By certskills June 15, 2016 13:10

Unidirectional PAP authentication – sounds like a lot to do, but it just takes a few commands. Check out the requirements back in the lab post, create your answers, and come back here to check your work.


Figure 1: Two Routers with IP Subnets



Example 3: R1 Config


Example 4: R2 Config



One of the primary reasons that engineers prefer to select the Point to Point Protocol (PPP) over High-Level Data Link Control (HDLC) is that it supports authentication. Specifically, it supports two different PPP authentication protocols: Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).

PAP offers both a unidirectional authentication method and a bidirectional authentication method, both of which use a simple username/password combination. Unfortunately, PAP also transmits this information over the line in cleartext. This is the reason that engineers typically select CHAP. CHAP provides a bidirectional authentication method that also utilizes a username/password combination, but instead of transmitting this information over the line in cleartext it takes advantage of MD5 hashing; when using this method, only a calculated hash is ever sent over the line.

The example begins with no IP addresses configured on the serial interfaces. So, the first few steps require the ip address command on each router’s serial interface, to match the figure, plus the encapsulation ppp command to enable PPP on both ends of the link.

For unidirectional PAP authentication on a leased line, the configuration differs for the router being authenticated (R2 in this case, acting as the PAP client), and the authenticating router (R1 in this case, acting as the PAP server). The server (R1) needs to be configured with the ppp authentication pap command, which tells R1 to act as a server and expect a username/password to arrive on this interface, and a username global command, that defines that username/password. (Check out the figure showing the requirements and flow in the ICND2 Cert Guide.) The client (R2 in this case) does not use either of those commands, instead using the subcommand ppp pap sent-username ciscouser password cisco on the serial interface, telling R2 to act as a PAP client and to send this particular username/password pair.

Basic SNMP Config 1
By certskills June 15, 2016 13:10
Write a comment


  1. Bryon April 28, 13:35

    I had a little trouble getting this to work following your book since it doesn’t mention how ppp authentication pap is required on the interface receiving the authentication attempt. This is a great lab / blog post to demonstrate it though, thank you!

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email