PPP Authentication: PAP

PPP Authentication: PAP

RFC 1334 discusses PPP authentication protocols. The Password Authentication Protocol (PAP) (protocol value=0xC023) is one of two authentication methods available for PPP. PAP uses 2-way handshake to establish its identity with its peer.

The Authentication Phase is optional in PPP. This phase starts after Link Establishment Phase is successfully completed. After Link Establishment Phase is complete, the username / password pair are sent by the peer to the authenticator.

An authenticator is at the end of the link requiring the authentication. The authenticator specifies the authentication protocol to be used in the Configure-Request packet during Link Establishment Phase.

The peer is at the other end of the point-to-point link which is authenticated by the authenticator.

PAP is a weak authentication method as the passwords are sent in clear-text. PAP packets are sent in the Information field of a PPP frame with protocol value set to 0xC023. There are 3 different types of PAP packets- Authenticate-Request, Authenticate-ACK and Authenticate-NAK.

The Authenticate-Request packet is used to start the PAP. The peer transmits the Authenticate-Request packet during Authentication Phase. It sends these packets repeatedly until a valid reply packet is received. Authenticate-Request packets received during any other phase are silently discarded; they are only accepted in Authentication Phase.

The authenticator expects multiple Authenticate-Request packets from the peer. If the username/password pair received in an Authenticate-Request packet are acceptable or recognizable, then the authenticator replies with an Authenticate-ACK packet.

If the username/password pair received in an Authenticate-Request packet are not recognizable or acceptable, then the authenticator replies with an Authenticate-NAK packet.

Configuring PPP PAP Authentication:

PPP PAP authentication requires a globally configured username and password. The username and password combination should be same as the one sent by the peer.

PAP Configuration on R1 & R2

R1 router:

username R2 password 0 cisco123

!

interface serial 0/0

 ip address 10.1.1.1 255.255.255.0

 encapsulation ppp

 ppp authentication pap

 ppp pap sent-username R1 password 0 cisco123

!

R2 router:

username R1 password 0 cisco123

!

interface serial 0/0

 ip address 10.1.1.2 255.255.255.0

 encapsulation ppp

 ppp authentication pap

 ppp pap sent-username R2 password 0 cisco123

!

Once LCP state is OPEN, PPP transitions to Authentication phase. R1 router sends username and password pair in an Authenticate-Request packet configured using ppp pap sent-username R1 password cisco123 command. R2 router tries to match this pair with the pair configured using username R1 password cisco123 command globally. If they match, R2 will send an Authenticate-ACK packet to R1. Similarly, R1 authenticates R2. Once Authentication phase is successfully completed, PPP transitions to NCP phase.

debug ppp negotiation

!--- Authentication Protocol is negotiated during Link Establishment Phase in Configure-Request packets

00:17:20.211: Se0/0 LCP: I CONFREQ [REQsent] id 222 len 14

00:17:20.211: Se0/0 LCP:    AuthProto PAP (0x0304C023)

00:17:20.211: Se0/0 LCP:    MagicNumber 0x01200444 (0x050601200444)

00:17:20.215: Se0/0 LCP: O CONFACK [REQsent] id 222 len 14

00:17:20.215: Se0/0 LCP:    AuthProto PAP (0x0304C023)

00:17:20.215: Se0/0 LCP:    MagicNumber 0x01200444 (0x050601200444)

00:17:20.235: Se0/0 LCP: I CONFACK [ACKsent] id 14 len 14

00:17:20.235: Se0/0 LCP:    AuthProto PAP (0x0304C023)

00:17:20.235: Se0/0 LCP:    MagicNumber 0x002003D3 (0x0506002003D3)

!--- Authentication Phase begins after LCP state is OPEN

00:17:20.235: Se0/0 LCP: State is Open

00:17:20.239: Se0/0 PPP: Phase is AUTHENTICATING, by both

00:17:20.283: Se0/0 PPP: Phase is FORWARDING, Attempting Forward

00:17:20.287: Se0/0 PPP: Phase is AUTHENTICATING, Unauthenticated User

00:17:20.291: Se0/0 PPP: Sent PAP LOGIN Request

00:17:20.295: Se0/0 PPP: Received LOGIN Response PASS

00:17:20.295: Se0/0 PPP: Phase is FORWARDING, Attempting Forward

00:17:20.299: Se0/0 PPP: Phase is AUTHENTICATING, Authenticated User

00:17:20.299: Se0/0 PPP: Sent LCP AUTHOR Request

00:17:20.303: Se0/0 PPP: Sent IPCP AUTHOR Request

00:17:20.303: Se0/0 LCP: Received AAA AUTHOR Response PASS

00:17:20.307: Se0/0 IPCP: Received AAA AUTHOR Response PASS

00:17:20.355: Se0/0 PPP: Phase is UP

The Authenticate-Request and Authenticate-ACK/Authenticate-NAK packets can be viewed using debug ppp authentication command.

debug ppp authentication

00:17:20.239: Se0/0 PAP: Using hostname from interface PAP

00:17:20.239: Se0/0 PAP: Using password from interface PAP

00:17:20.239: Se0/0 PAP: O AUTH-REQ id 30 len 16 from "R1"

00:17:20.283: Se0/0 PAP: I AUTH-REQ id 31 len 16 from "R2"

00:17:20.283: Se0/0 PAP: Authenticating peer R2

00:17:20.307: Se0/0 PAP: O AUTH-ACK id 31 len 5

00:17:20.355: Se0/0 PAP: I AUTH-ACK id 30 len 5

A sample Authenticate-Request packet is shown below. The protocol value is 0xC023 indicating PAP is encapsulated in PPP frame.

The following output shows the corresponding Authenticate-ACK packet from the authenticator (R2 in this case).