Configuring PPP PAP Authentication
The Password Authentication Protocol (PAP) provides a simple method for the peer to establish its identity using a two-way handshake. This is done only upon initial link establishment.
After the link is established, an ID and password pair is repeatedly sent by the peer to the authenticator until authentication is acknowledged or the connection is terminated.
To configure PAP, you must create an access profile, configure tracing operations, and configure the logical and physical interfaces.
To configure PAP on a logical interface with PPP encapsulation, include the pap statement with options:
You can include these statements at the following hierarchy levels:
- [edit interfaces interface-name unit logical-unit-number]
- [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]
For more information about configuring PAP for physical interfaces, see Configuring the PPP Password Authentication Protocol. For information about configuring tracing operations for the PPP protocol, see Tracing Operations of the pppd Process.
On each logical interface with PPP encapsulation, you can perform the following tasks:
Configuring a Default PAP Password
The default PAP password is used when no matching PAP access profile exists, or if the PAP access profile name changes during PPP link negotiation.
To configure a default PAP password for an interface, include the default-pap-password statement:
You can include the statement at the following hierarchy levels:
- [edit interfaces interface-name unit logical-unit-number ppp-options pap]
- [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number ppp-options pap]
Configuring the Local Name
By default, when PAP is enabled on an interface, the interface uses the router’s system hostname as the name sent in PAP request and response packets.
To configure the name the interface uses in PAP request and response packets, include the local-name statement:
You can include the statement at the following hierarchy levels:
- [edit interfaces interface-name unit logical-unit-number ppp-options pap]
- [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number ppp-options pap]
Configuring the Local Password
You need to configure the password to be used for authentication.
To configure the host password for sending PAP requests, include the local-password statement:
You can include the statement at the following hierarchy levels:
- [edit interfaces interface-name unit logical-unit-number ppp-options pap]
- [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number ppp-options pap]
Configuring Passive Mode
By default, when PAP is enabled on an interface, the interface expects authenticate-request packets from the peer. However, the interface can be configured to send authentication request packets to the peer by configuring PAP to operate in passive mode. In PAP passive mode, the interface sends the authenticate-request packets to the peer only if the interface receives the PAP option from the peer during LCP negotiation—in passive mode, the interface does not authenticate the peer.
To configure the interface to authenticate with PAP in passive mode, include the passive statement:
You can include the statement at the following hierarchy levels:
- [edit interfaces interface-name unit logical-unit-number ppp-options pap]
- [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number ppp-options pap]
