Password Authentication Protocol (PAP)
There are simply two methods to authenticate PPP links namely Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).
From these two authentication protocols, PAP is less secured as the password is sent in clear text and is performed only at the initial link establishment.
Password Authentication Protocol (PAP) –
PAP is a password Authentication Protocol used by PPP links to validate users. PAP authentication requires the calling device to enter the username and password. If the credentials match with the local database of the called device or in the remote AAA database then it is allowed to access otherwise denied.
Some of the features of PAP are:
- The password is sent in cleartext.
- All network operating systems support PAP.
- It uses a two-way Handshake Protocol.
- It is non-interactive.
- PAP supports both one-way authentication (unidirectional) and two-way authentication (bidirectional).
There is a small topology in which there are 2 routers namely R1 and R2. R1 has IP address 10.1.1.1/30 on s0/0 and R2 has IP address 10.1.1.2/30 on s0/0.
First, we will create a local database on R1 by providing a username and password:
R1(config)#username Router1 password GeeksforGeeks
Configuring local database on R2:
R2(config)#username Router2 password GeeksforGeeks
Remember, by default HDLC is configured on Cisco routers therefore first we have to change the encapsulation to PPP and enable PAP.
R1(config)# int s0/0 R1(config-if)#encapsulation ppp R1(config-if)#ppp authentication pap R1(config-if)#ppp pap sent-username Router2 password GeeksforGeeks
Enabling PAP on R2:
R2(config)# int s0/0 R2(config-if)#encapsulation ppp R2(config-if)#ppp authentication pap R2(config-if)#ppp pap sent-username Router1 password GeeksforGeeks
Here, notice that username and password are case-sensitive. Also, on router R1 we have to give a username and password.
This command can also be used on the router which wants to authenticate (calling router) in case of one-way authentication i.e only the calling router will authenticate.
If two-way authentication, i.e both client and remote device are going to authenticate to each other, is operating then we have to make a local database and use this command on both devices.
In addition, if we want to use CHAP first and PAP as a backup when CHAP fails, we can configure it by the command.
R1(config)#int s0/0 R2(config-if)#ppp authentication chap pap
Also, if we want CHAP as a backup then use the command.
R1(config)#int s0/0 R2(config-if)#ppp authentication pap chap
When to use PAP –
PAP is usually used in the following scenarios:
- When the application doesn’t support CHAP.
- Circumstances where it is necessary to send a plain text password to simulate a login at the called device (remote host).
- When there is the occurrence of incompatibilities between different vendors of CHAP.
Advantage of CHAP over PAP –
Some of the advantages are:
- CHAP is more secure than PAP.
- CHAP can provide authentication periodically to recognize that the user accessing the PPP link is the same or not.
- In CHAP, the real passwords are never shared on the link instead a hash value of it is calculated and transferred.
Advantage of PAP over CHAP –
The only advantage PAP holds over CHAP is that it is supported by the all the network operating system vendors therefore it can be said that PAP is used where CHAP is not supported. But if CHAP is supported then it is recommended to use CHAP as it is more secure.