to use the show interfaces command to
display statistics for interfaces configured on the router for
access server.
Content 3.2 PPP Authentication
3.2.3 PPP authentication protocols The authentication phase
of a PPP session is optional. After the link has been
established and the authentication protocol chosen, the peer
can be authenticated. If it is used, authentication takes place
before the network layer protocol configuration phase begins.
The authentication options require that the calling side of the
link enter authentication information. This helps to ensure
that the user has the permission of the network administrator
to make the call. Peer routers exchange authentication
messages. When configuring PPP authentication, the network
administrator can select Password Authentication Protocol (PAP)
or Challenge Handshake Authentication Protocol (CHAP). In
general, CHAP is the preferred protocol.
Content
3.2 PPP Authentication 3.2.4 Password
Authentication Protocol (PAP) PAP provides a simple method
for a remote node to establish its identity, using a two-way
handshake. After the PPP link establishment phase is complete,
a username/password pair is repeatedly sent by the remote node
across the link until authentication is acknowledged or the
connection is terminated. PAP is not a strong authentication
protocol. Passwords are sent across the link in clear text and
there is no protection from playback or repeated
trial-and-error attacks. The remote node is in control of the
frequency and timing of the login attempts. Web Links
Configuring and Troubleshooting PPP Password Authentication
Protocol (PAP) http://www.cisco.com/en/US/tech/tk713/
tk507/technologies_tech_note09186a
0080093c6f.shtml
Content 3.2 PPP Authentication 3.2.5
Challenge Handshake Authentication Protocol (CHAP) CHAP
is used at the startup of a link and periodically verifies the
identity of the remote node using a three-way handshake. CHAP
is performed upon initial link establishment and is repeated
during the time the link is established. After the PPP link
establishment phase is complete, the local router sends a
"challenge" message to the remote node. The remote
node responds with a value calculated using a one-way hash
function, which is typically Message Digest 5 (MD5). This
response is based on the password and challenge message. The
local router checks the response against its own calculation of
the expected hash value. If the values match, the
authentication is acknowledged, otherwise the connection is
immediately terminated. CHAP provides protection against
playback attack through the use of a variable challenge value
that is unique and unpredictable. Since the challenge is unique
and random, the resulting hash value will also be unique and
random. The use of repeated challenges is intended to limit the
time of exposure to any single attack. The local router or a
third-party authentication server is in control of the
frequency and timing of the challenges. Lab Activity
e-Lab Activity: ppp chap hostname hostname In
this activity, the student will demonstrate how to use the
ppp chap hostname hostname command to create a
pool of dialup routers. Web Links Understanding and
Configuring PPP CHAP Authentication
http://www.cisco.com/en/US/tech/tk713/
tk507/technologies_tech_note09186a
00800b4131.shtml
Content 3.2 PPP Authentication 3.2.6 PPP
encapsulation and authentication process When the
encapsulation ppp command is used either PAP or CHAP
authentication can be optionally added. If no authentication is
specified the PPP session starts immediately. If authentication
is required the process proceeds through the following steps:
- The method of authentication is determined.
- The local database or security server, which has a
username and password database, is checked to see if the given
username and password pair matches.
- The process
checks the authentication response sent back from the local
database. If it is a positive response, the PPP session is
started. If negative, the session is terminated.
The
Figure and corresponding Figure details the CHAP authentication
process. Interactive Media Activity Drag and Drop: PPP
Encapsulation and Authentication Process When the student has
completed this activity, the student will know the steps in the
PPP authentication process.
Content
3.3 Configuring PPP 3.3.1
Introduction to configuring PPP Configurable aspects of
PPP include methods of authentication, compression, error
detection, and whether or not multilink is supported. The
following section describes the different configuration options
for PPP. Cisco routers that use PPP encapsulation may include
the LCP configuration options described in Figure .
Content 3.3 Configuring PPP
3.3.2 Configuring PPP The following example enables
PPP encapsulation on serial interface 0/0: Router#configure
terminal
Router(config)#interface serial
0/0
Router(config-if)#encapsulation ppp
Point-to-point software compression can be configured on serial
interfaces that use PPP encapsulation. Compression is performed
in software and might significantly affect system performance.
Compression is not recommended if most of the traffic consists
of compressed files. To configure compression over PPP, enter
the following commands: Router(config)#interface serial
0/0
Router(config-if)#encapsulation ppp
Router(config-if)#compress [predictor | stac] Enter the
following to monitor the data dropped on the link, and avoid
frame looping: Router(config)#interface serial 0/0
Router(config-if)#encapsulation ppp
Router(config-if)#ppp quality percentage
The following commands perform load balancing across multiple
links: Router(config)#interface serial 0/0
Router(config-if)#encapsulation ppp
Router(config-if)#ppp multilink Lab Activity Lab
Exercise: Configuring PPP Encapsulation In this lab, the
student will configure a serial interface on the Washington and
Dublin routers with the PPP protocol. Lab Activity
e-Lab Activity: Configuring PPP Protocol In this lab, the
student will configure a serial interface on the Washington and
Dublin routers with the PPP protocol.
Content
3.3 Configuring PPP 3.3.3
Configuring PPP authentication The procedure outlined
in the table describes how to configure PPP encapsulation and
PAP/CHAP authentication protocols. Correct configuration is
essential, since PAP and CHAP will use these parameters to
authenticate. Figure is an example of a two-way PAP
authentication configuration. Both routers authenticate and are
authenticated, so the PAP authentication commands mirror each
other. The PAP username and password that each router sends
must match those specified with the username
name password password command of the
other router. PAP provides a simple method for a remote node to
establish its identity using a two-way handshake. This is done
only upon initial link establishment. The hostname on one
router must match the username the other router has configured.
The passwords must also match. CHAP is used to periodically
verify the identity of the remote node using a 3-way handshake.
The hostname on one router must match the username the other
router has configured. The passwords must also match. This is
done upon initial link establishment and can be repeated any
time after the link has been established. Lab Activity
Lab Exercise: Configuring PPP Authentication In this lab, the
student will configure a serial interface on the Madrid and
Tokyo routers. Lab Activity e-Lab Activity: Configuring
PPP Authentication In this lab, the student will configure a
serial interface on the Madrid and Tokyo routers. Lab