Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring the PPP Password Authentication Protocol

Understanding PPP Password Authentication Protocol

The Password Authentication Protocol (PAP) provides a simple method for the peer to establish its identity using a two-way handshake. After the link is established, an ID and password pair is repeatedly sent by the peer to the authenticator until authentication is acknowledged or the connection is terminated. This is done only upon initial link establishment.

For interfaces with PPP encapsulation, you can configure interfaces to support the Password Authentication Protocol (PAP), as defined in RFC 1334, PAP Authentication Protocols. If authentication is configured, the PPP link negotiates using CHAP or PAP protocol for authentication during the Link Control Protocol (LCP) negotiation phase. PAP is only performed after the link establishment phase (LCP up) portion of the authentication phase.

During authentication, the PPP link sends a PAP authentication-request packet to the peer with an ID and password. The authentication-request packet is sent every 2 seconds, similar to the CHAP challenge, until a response (acknowledgment packet or nonacknowledgment packet) is received. If an acknowledgment packet is received, the PPP link transitions to the next state, the network phase. If a nonacknowledgment packet is received, an LCP terminate request is sent, and the PPP link goes back to the link establishment phase.

If no response is received, and an optional retry counter is set to true, a new request acknowledgment packet is resent. If the retry counter expires, the PPP link transitions to the LCP negotiate phrase.

You can configure the PPP link with PAP in passive mode. By default, when PAP is enabled on an interface, the interface expects authenticate-request packets from the peer. However, the interface can be configured to send authentication request packets to the peer by configuring PAP to operate in passive mode. In PAP passive mode, the interface sends the authenticate-request packets to the peer only if the interface receives the PAP option from the peer during LCP negotiation. In passive mode, the interface does not authenticate the peer.

Configuring the PPP Password Authentication Protocol On a Physical Interface

To enable PAP, you must create an access profile, and you must configure the interfaces to use PAP. For more information on how to configure access profile, see Configuring Access Profiles for L2TP or PPP Parameters.

When you configure an interface to use PAP, you must assign an access profile to the interface. When an interface receives PAP authentication requests, the access profile in the packet is used to look up the password.

To configure the PPP password authentication protocol, on each physical interface with PPP encapsulation, perform the following steps.

  1. To assign an access profile to an interface, include the access-profile statement at the [edit interfaces interface-name ppp-options pap] hierarchy level.
  2. To configure the name the interface uses in PAP request and response packets, include the local-name statement at the [edit interfaces interface-name ppp-options pap] hierarchy level:
  3. You need to configure the password to be used for authentication. To configure the host password for sending PAP requests, include the local-password statement at the [edit interfaces interface-name ppp-options pap] hierarchy level:
    Note:

    By default, when PAP is enabled on an interface, the interface uses the router’s system hostname as the name sent in PAP request and response packets.

  4. To configure the interface to authenticate with PAP in passive mode, include the passive statement at the [edit interfaces interface-name ppp-options pap] hierarchy level:
    Note:

    By default, when PAP is enabled on an interface, the interface expects authenticate-request packets from the peer. However, the interface can be configured to send authentication request packets to the peer by configuring PAP to operate in passive mode. In PAP passive mode, the interface sends the authenticate-request packets to the peer only if the interface receives the PAP option from the peer during LCP negotiation. In passive mode, the interface does not authenticate the peer.

Configuring the PPP Password Authentication Protocol On a Logical Interface

When you configure an interface to use PAP, you must assign an access profile to the interface. When an interface receives PAP authentication requests, the access profile in the packet is used to look up the password. If no matching access profile is found for the PAP authentication request that was received by the interface, the optionally configured default PAP password is used.

To configure the PPP password authentication protocol, perform the following steps on each logical interface with PPP encapsulation.

  1. The default PAP password is used when no matching PAP access profile exists, or if the PAP access profile name changes during PPP link negotiation. To configure the default PAP password, include the default-pap-password statement at the [edit interfaces interface-name unit logical-unit-number ppp-options pap] hierarchy level:
  2. To configure the name the interface uses in PAP request and response packets, include the local-name statement at the [edit interfaces interface-name unit logical-unt-number ppp-options pap] hierarchy level:
    Note:

    By default, when PAP is enabled on an interface, the interface uses the router’s system hostname as the name sent in PAP request and response packets.

  3. You need to configure the password to be used for authentication. To configure the host password for sending PAP requests, include the local-password statement at the [edit interfaces interface-name ppp-options pap] hierarchy level:
  4. To configure the interface to authenticate with PAP in passive mode, include the passive statement at the [edit interfaces interface-name unit logical-unt-numberppp-options pap] hierarchy level:
    Note:

    By default, when PAP is enabled on an interface, the interface expects authenticate-request packets from the peer. However, the interface can be configured to send authentication request packets to the peer by configuring PAP to operate in passive mode. In PAP passive mode, the interface sends the authenticate-request packets to the peer only if the interface receives the PAP option from the peer during LCP negotiation—in passive mode, the interface does not authenticate the peer.