PPP Password Authentication Protocol
Understanding PAP
The Password Authentication Protocol (PAP) provides a simple method for the peer to establish its identity using a two-way handshake. After the link is established, an ID and password pair is repeatedly sent by the peer to the authenticator until authentication is acknowledged or the connection is terminated. This is done only upon initial link establishment.
For interfaces with PPP encapsulation, you can configure interfaces to support the PAP, as defined in RFC 1334, PAP Authentication Protocols. If authentication is configured, the PPP link negotiates using CHAP or PAP protocol for authentication during the Link Control Protocol (LCP) negotiation phase. PAP is only performed after the link establishment phase (LCP up) portion of the authentication phase.
During authentication, the PPP link sends a PAP authentication-request packet to the peer with an ID and password. The authentication-request packet is sent every 2 seconds, similar to the CHAP challenge, until a response (acknowledgment packet or nonacknowledgment packet) is received. If an acknowledgment packet is received, the PPP link transitions to the next state, the network phase. If a nonacknowledgment packet is received, an LCP terminate request is sent, and the PPP link goes back to the link establishment phase.
If no response is received, and an optional retry counter is
set to true
, a new request acknowledgment packet is resent.
If the retry counter expires, the PPP link transitions to the LCP
negotiate phrase.
You can configure the PPP link with PAP in passive mode. By default, when PAP is enabled on an interface, the interface expects authenticate-request packets from the peer. However, the interface can be configured to send authentication request packets to the peer by configuring PAP to operate in passive mode. In PAP passive mode, the interface sends the authenticate-request packets to the peer only if the interface receives the PAP option from the peer during LCP negotiation. In passive mode, the interface does not authenticate the peer.
Configure PAP on a Physical Interface
To enable PAP, you must create an access profile, and you must configure the interfaces to use PAP. For more information on how to configure access profile, see Point-to-Point Protocol (PPP).
When you configure an interface to use PAP, you must assign an access profile to the interface. When an interface receives PAP authentication requests, the access profile in the packet is used to look up the password.
To configure the PPP password authentication protocol, on each physical interface with PPP encapsulation, perform the following steps.
Configure PAP on a Logical Interface
When you configure an interface to use PAP, you must assign an access profile to the interface. When an interface receives PAP authentication requests, the access profile in the packet is used to look up the password. If no matching access profile is found for the PAP authentication request that was received by the interface, the optionally configured default PAP password is used.
To configure PAP, perform the following steps on each logical interface with PPP encapsulation.