As a network engineer, you most probably already had to do with PPP authentication at least once or two times in your daily operation. Even more, if you are going for a Cisco certification (and not only) you should know some stuff about PPP authentication. For today, I’ve planned to deal with back-to-back PPP authentication.
For this back to back scenario, we have the following simple topology:
When we talk about PPP authentication on a end-to-end line we are dealing with 3 major authentication method:
– PAP
– CHAP
– EAP
Now, when we think at security, we can easily observe that PAP is the less secure one and CHAP or EAP are the strongest one.
PAP (Password Authetication Protocol) transmits unencrypted ASCII passwords over the network and is therefore considered insecure. It should be used only as a last resort when the remote server does not support a stronger authentication protocol, like CHAP or EAP.
CHAP (Challenge-Handshake Authentication Protocol) is a more secure protocol as it uses a three-way handshake and the shared secret (password) is never sent on the wires. Instead a MD5 hash checksum is calculated based on the share secret and this one is sent as a challenge to the other peer.
EAP (Extensible Authentication Protocol) is an authentication framework, not a specific authentication mechanism. It provides some common functions and negotiation of authentication methods called EAP methods. There are currently about 40 different methods defined.
When we think of PPP authentication direction there are 2 types:
– one way authentication
– two ways authentication
Pretty obvious, no?
OK, enough with the theory. If you need some more deep understanding of PPP, there is always Internet. Next, I will show you some simple example with PPP authetication using PAP, CHAP and EAP.
PAP type authentication
Let’s assume that in the scenario above, R1 is sending a challenge to R2. Very important! From PPP authentication configuration, you don’t have to do anything to response to a challenge. This is done automatically.
R1
username R2 password cisco
int s0/0
encapsulation ppp
ppp authentication papR2
int s0/0
encapsulation ppp
ppp pap sent-user R2 password cisco
Actually that’s it. As I said, pretty simple. You configure R1 to send an authentication challenge to R2 with “ppp authentication pap”. R2 has to reply to this challenge with a username and a password defined with “ppp pap sent-user R2 password cisco”. This username and password have to be defined on R1. No matter what user and password you define on challenged part to be sent back, that information you have to define on challenger.
CHAP authentication type
Configuring CHAP is even easier. In the example below, I will configure R2 to send a CHAP challenge to R1
R1
username R2 password cisco
int s0/0
encapsulation pppR2
username R1 password cisco
int s0/0
encapsulation ppp
ppp authentication chap
By default, CHAP is sending the router hostname the user in the three-way handshake process, so there is no need to specify what user to send like in PAP method. As I said before, this method is more secure than PAP.
EAP authetication type
To be honest I didn’t saw too many PPP connections being authenticated with EAP, but is there and I saw some CCIE lab topics so, you should keep an eye on it. Like the other two method this one is easy to implement and is offering more secure level of authetication than PAP.
R1
username R2 password cisco
int s0/0
encapsulation ppp
ppp authentication eap
ppp eap identity R1
ppp eap password cisco
ppp eap localR2
username R1 password cisco
int s0/0
encapsulation ppp
ppp authentication eap
ppp eap identity R2
ppp eap password cisco
ppp eap local
I believe that the command syntax is telling pretty much all there is. With “identity” you define the user to be send to the peer, “password” it what word is saying and last option “local” is the quite important. By default EAP needs a RADIUS server for authentication. If you don’t have one (exams, quick testing…) then you want EAP to use local database instead of RADIUS.
This are the basics of PPP authentication. Even if there are not so much in use, try to remember this small steps as you might need them sometimes.
Other Authentication Related Articles in Internet
- Passlogix: One Authenticator To Rule Them All (techcrunch.com)
- Multi-factor Authentication and the Cloud (readwriteweb.com)
- User Authentication: It Doesn’t Belong In Your Application (tc.eserver.org)
- Understanding Samba security modes (ghacks.net)