PPP Authentication: PAP
RFC 1334¬†discusses PPP authentication protocols. The¬†Password Authentication Protocol (PAP)¬†(protocol value=0xC023)¬†is one of two authentication methods available for PPP. PAP uses 2-way handshake to establish its identity with its peer.
The Authentication Phase is optional in PPP. This phase starts after Link Establishment Phase is successfully completed. After Link Establishment Phase is complete, the¬†username / password¬†pair¬†are sent by the peer to the authenticator.
An¬†authenticator¬†is at the end of the link requiring the authentication. The authenticator specifies the authentication protocol to be used in theConfigure-Request¬†packet during Link Establishment Phase.
The¬†peer¬†is at the other end of the point-to-point link which is authenticated by the authenticator.
PAP is a weak authentication method as the¬†passwords are sent in clear-text. PAP packets are sent in the Information field of a PPP frame with protocol value set to¬†0xC023. There are 3 different types of PAP packets-¬†Authenticate-Request, Authenticate-ACK and Authenticate-NAK.
The¬†Authenticate-Request¬†packet is used to start the PAP. The peer transmits the Authenticate-Request packet during Authentication Phase. It sends these packets repeatedly until a valid reply packet is received. Authenticate-Request packets received during any other phase are silently discarded; they are only accepted in Authentication Phase.
The authenticator expects multiple Authenticate-Request packets from the peer. If the username/password pair received in an Authenticate-Request packet are acceptable or recognizable, then the authenticator replies with an¬†Authenticate-ACK¬†packet.
If the username/password pair received in an Authenticate-Request packet are not recognizable or acceptable, then the authenticator replies with anAuthenticate-NAK¬†packet.
Configuring PPP PAP Authentication:
PPP PAP authentication requires a globally configured username and password. The username and password combination should be same as the one sent by the peer.
PAP Configuration on R1 & R2
username R2 password 0 cisco123
interface serial 0/0
¬†ip address 10.1.1.1 255.255.255.0
¬†ppp authentication pap
¬†ppp pap sent-username R1 password 0 cisco123
username R1 password 0 cisco123
interface serial 0/0
¬†ip address 10.1.1.2 255.255.255.0
¬†ppp authentication pap
¬†ppp pap sent-username R2 password 0 cisco123
Once LCP state is OPEN, PPP transitions to Authentication phase. R1 router sends username and password pair in an Authenticate-Request packet configured using¬†ppp pap sent-username R1 password cisco123¬†command. R2 router tries to match this pair with the pair configured using¬†username R1 password cisco123¬†command globally. If they match, R2 will send an Authenticate-ACK packet to R1. Similarly, R1 authenticates R2. Once Authentication phase is successfully completed, PPP transitions to NCP phase.
debug ppp negotiation
!--- Authentication Protocol is negotiated during Link Establishment Phase in Configure-Request packets
00:17:20.211: Se0/0 LCP: I CONFREQ [REQsent] id 222 len 14
00:17:20.211:¬†Se0/0 LCP:¬†¬†¬† AuthProto PAP¬†(0x0304C023)
00:17:20.211: Se0/0 LCP:¬†¬†¬† MagicNumber 0x01200444 (0x050601200444)
00:17:20.215: Se0/0 LCP: O CONFACK [REQsent] id 222 len 14
00:17:20.215: Se0/0 LCP:¬†¬†¬† AuthProto PAP (0x0304C023)
00:17:20.215: Se0/0 LCP:¬†¬†¬† MagicNumber 0x01200444 (0x050601200444)
00:17:20.235: Se0/0 LCP: I CONFACK [ACKsent] id 14 len 14
00:17:20.235: Se0/0 LCP:¬†¬†¬† AuthProto PAP (0x0304C023)
00:17:20.235: Se0/0 LCP:¬†¬†¬† MagicNumber 0x002003D3 (0x0506002003D3)
!--- Authentication Phase begins after LCP state is OPEN
00:17:20.235: Se0/0 LCP: State is Open
00:17:20.239:¬†Se0/0 PPP: Phase is AUTHENTICATING, by both
00:17:20.283: Se0/0 PPP: Phase is FORWARDING, Attempting Forward
00:17:20.287: Se0/0 PPP: Phase is AUTHENTICATING, Unauthenticated User
00:17:20.291: Se0/0 PPP: Sent PAP LOGIN Request
00:17:20.295: Se0/0 PPP: Received LOGIN Response PASS
00:17:20.295: Se0/0 PPP: Phase is FORWARDING, Attempting Forward
00:17:20.299: Se0/0 PPP: Phase is AUTHENTICATING, Authenticated User
00:17:20.299: Se0/0 PPP: Sent LCP AUTHOR Request
00:17:20.303: Se0/0 PPP: Sent IPCP AUTHOR Request
00:17:20.303: Se0/0 LCP: Received AAA AUTHOR Response PASS
00:17:20.307: Se0/0 IPCP: Received AAA AUTHOR Response PASS
00:17:20.355:¬†Se0/0 PPP: Phase is UP
The Authenticate-Request and Authenticate-ACK/Authenticate-NAK packets can be viewed using¬†debug ppp authentication¬†command.
debug ppp authentication
00:17:20.239: Se0/0¬†PAP: Using hostname from interface PAP
00:17:20.239: Se0/0¬†PAP: Using password from interface PAP
00:17:20.239: Se0/0¬†PAP: O AUTH-REQ id 30¬†len 16 from "R1"
00:17:20.283: Se0/0¬†PAP: I AUTH-REQ id 31¬†len 16 from "R2"
00:17:20.283: Se0/0 PAP: Authenticating peer R2
00:17:20.307: Se0/0¬†PAP: O AUTH-ACK id 31¬†len 5
00:17:20.355: Se0/0¬†PAP: I AUTH-ACK id 30¬†len 5
A sample Authenticate-Request packet is shown below. The protocol value is 0xC023 indicating PAP is encapsulated in PPP frame.