PPP

Accessing the WAN – Chapter 2

1
Layer 1 Serial
Communication

Accessing the WAN – Chapter 2

2
Serial Communication
 Data can be transferred using serial or parallel communication.

3
9-Pin Serial Connector
 Serial communication describes data being sent one bit at a
time.
– For example, on a 9-pin serial connector, two connections (wires) are
used to send the bits.
– The additional connections are used to control the data flow.

4
How Does Parallel Communication Work?
 A parallel connection simultaneously sends bits over more
wires.
– For example, there are 8 data-carrying wires on a 25-pin parallel printer
therefore 8 bits are simultaneously transmitted.

 Theoretically, a parallel connection:

– Sends 1 byte (8 bits) in the “time” a serial connection sends 1 bit.
– Transfers data 8x times faster than a serial connection.

5
Is Parallel Faster Than Serial?

Distance Type Serial Parallel

Short Slower Faster

Long Faster Slower

 Serial links can be clocked considerably faster than parallel

links, and they achieve a higher data rate, because of two
factors that affect parallel communications:
 Clock skew and crosstalk interference.

6
Clock Skew
 Clock skew is when some bits arrive later than others.
– For example, 8 bits leaving the sender may not arrive at the receiver at
the same time.
– Depends on the length, resistance, and quality of the wires.

7
Overcoming Clock Skew
 The receiving end must synchronize itself with the transmitter
and then wait until all the bits have arrived.

 Synchronizing involves reading, waiting, latching, waiting for

clock signal, and transmitting 8 bits.

 This process also adds time to the transmission slowing

parallel transmission well below theoretical expectations.

8
Crosstalk Interference
 Wires that are closely bundled together may introduce
crosstalk at higher frequencies.

 Crosstalk causes bits/bytes to be dropped.

9
Long distances = Serial communication
 Serial cables have:
– Fewer wires, therefore less crosstalk.
– Network devices capable of transmitting serial communications at
higher, more efficient frequencies.

 Serial communications is also considerably less expensive to

implement making it the choice for long distance links.

10
Common Serial Communication Standards
 Common LAN-to-WAN serial communication standards:
Standard Description Connector

• Most serial ports on personal computers

EIA/TIA 232
conform to the RS-232C or newer RS-422
(RS-232) and RS-423 standards.

• High-speed serial cable designed to

support higher data rates and connectivity
ITU V.35 between DTEs and DCEs over digital lines.
• Typically used by routers and DSUs that
connect to T1 carriers.

• High-Speed Serial Interface (HSSI)

EIA/TIA-612/613 supports transmission rates up to 52 Mb/s.
(HSSI) • Typically used to connect routers to T3
carriers.

11
60 Years ago ….
 60 years ago each telephone call required its own physical link
(line).
– This was a very expensive and a very “unscalable” solution.

 Time-division multiplexing (TDM) was developed by Bell

Laboratories to maximize the amount of voice traffic carried
over a medium.

 TDM is a physical layer concept.

– It has no understanding of the information being multiplexed.
– It is independent of the Layer 2 or higher protocols.
– Original data streams must be reconstructed at the destination.

12
Time Division Multiplexing
 TDM transmits two or more channels over the same link by
allocating a different time interval (time slot) for the
transmission of each channel.
– In effect, the channels take turns using the link.

13
Statistical Time Division Multiplexing
 TDM was a bit inefficient when traffic is intermittent, because
the time slot is still allocated even when the channel has no
data to transmit.

 Statistical time-division multiplexing (STDM) was developed to

overcome this inefficiency.
– STDM uses a variable time slot length allowing channels to compete for
any free slot space.

14
TDM Examples – SONET (SDH)
 TDM is used in ISDN and by SONET (OC-x links).

 SONET (North America) and SDH (everywhere else) are two

closely related fiber cable standards that specify interface
parameters, rates, framing formats, multiplexing methods, and
management for synchronous communications.

15
DS0
 Digital Signal 0 (DS0) is a basic digital signaling rate of 64
kbit/s, corresponding to the capacity of one voice-frequency-
equivalent channel.

 In North America, 24 DS0 units are multiplexed using TDM into

a higher bit-rate signal with an aggregate speed of 1.544 Mb/s
for transmission over T1 lines.
– Outside North America, 32 DS0 units are multiplexed for E1
transmission at 2.048 Mb/s.

 T-carrier refers to the bundling of DS0s.

– For example, a T1 = 24 DSOs, a T1C = 48 DSOs (or 2 T1s), and so on.

http://en.wikipedia.org/wiki/List_of_device_bandwidths#Wide_area_networks
16
DS0
 T-carrier refers to the bundling of DS0s.
– For example, a T1 = 24 DSOs, a T1C = 48 DSOs (or 2 T1s), and so on.

17
Demarcation Point

 Demarcation point defines the end of customer and start

of service provider network.

18
DTE and DCE

19
DTE and DCE

20
Parallel to Serial Conversion

21
Layer 2

22
WAN Encapsulation Protocol
 Data is encapsulated into Layer 2 frames before crossing the WAN
link.

 WAN protocols include:

– Synchronous Data Link Control (SDLC) (Original IBM standard)
– High-Level Data Link Control (HDLC) (Replaced SDLC)
– Point-to-Point Protocol
– Serial Line Internet Protocol (SLIP)
– X.25/Link Access Procedure, Balanced (LAPB)
– Frame Relay
– ATM

 The choice of protocol depends on the WAN technology and the

communicating equipment.
23
WAN Encapsulation Protocols
 Synchronous Data Link Control (SDLC):
 Defacto standard developed by IBM in the 1970s.

 High-Level Data Link Control (HDLC):

– The ISO adopted version of SDLC.
– It is now the default encapsulation on Cisco point-to-point connections,
dedicated links, and circuit-switched connections.

 Serial Line Internet Protocol (SLIP):

– A standard protocol for point-to-point serial connections using TCP/IP.
– SLIP has been largely displaced by PPP.

24
WAN Encapsulation Protocols
 PPP:
– PPP is used over serial cables, phone line, trunk line, cellular telephone,
specialized radio links, and fiber optic links such as SONET.
– Provides router-to-router and host-to-network connections over
synchronous and asynchronous circuits.
– PPP works with several network layer protocols, such as IP and
Internetwork Packet Exchange (IPX).
– PPP also has built-in security mechanisms such as PAP and CHAP.
– ISPs use:
• PPP for customer dial-up access.
• Point-to-Point Protocol over Ethernet (PPPoE) for customer DSL access.
• Point-to-Point Protocol over ATM (PPPoA) for customer DSL access.

25
WAN Encapsulation Protocol
 X.25/Link Access Procedure, Balanced (LAPB):
– Mostly obsolete, X.25 specifies LAPB, a data link layer protocol.

 Frame Relay:
– Popular replacement for X.25, FR is a switched data link layer protocol
that handles multiple virtual circuits.
– Newer technologies (e.g., MPLS, cable, and DSL) are now replacing FR.
• However areas lacking these can at least get 64-kbit/s FR line therefore a
retail chain may use FR to connect stores to their WAN.

 ATM:
– International standard for cell relay which supports multiple service types
(e.g., voice, video, or data) in fixed-length (53-byte) cells.
– ATM takes advantages of high-speed transmission media such as T3 /
E3 and SONET.

26
HLDC Frame Format
 HDLC is a data link layer protocol developed by the ISO.
– Based on IBM’s SDLC, it provides both connection-oriented and
connectionless service.

 HDLC defines a Layer 2 framing structure that allows for flow

control and error control through the use of acknowledgments.
– Each frame has the same format, whether it is a data frame or a control
frame.
– It uses a frame delimiter, or flag, to mark the beginning and the end of
each frame.

27
HLDC Frame Format
 HDLC supports only single-protocol environments
 Therefore, to provide multiprotocol support, Cisco HDLC
frames contain a field for identifying the network protocol being
encapsulated.
– Cisco HDLC may not be compatible with another vendor’s HDLC.

28
Configuring HDLC Encapsulation
 Cisco HDLC is the default encapsulation method used by
Cisco devices on synchronous serial lines.
– If you are connecting to a non-Cisco device, use synchronous PPP.

29
Troubleshooting a Serial Connection
R1# show interfaces serial 0/0/0
Serial0/0/0 is up, line protocol is up
  Hardware is GT96K Serial
  Internet address is 172.16.0.1/30
  MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, loopback not set
  Keepalive set (10 sec)
  Last input 00:00:03, output 00:00:04, output hang never
  Last clearing of "show interface" counters 1w0d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     219 packets input, 15632 bytes, 0 no buffer
     Received 218 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     217 packets output, 14919 bytes, 0 underruns
     0 output errors, 0 collisions, 107 interface resets
     0 output buffer failures, 0 output buffers swapped out
     12 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

<output omitted>

30
2.2 Introducing PPP

Accessing the WAN – Chapter 2

31
Point-to-Point Concepts
 General all purpose point-to-point protocol.
– Based on HDLC frame format, PPP is a standards-based, non-
proprietary point to point protocol.
– It was developed to provide a Layer 2 support for IP, IPX/SPX, and
Appletalk.

 PPP RFCs:
– RFC 1220– PPP Extensions for Bridging
– RFC 1492– Access Control Protocol or TACACS
– RFC 1549– PPP in HDLC Framing
– RFC 1570– PPP LCP Extensions
– RFC 1661– The Point-to-Point Protocol (PPP)
– RFC 1990– MLP Standard

32
PPP Frame Structure

01111110 11111111 00000011 00000000 00000000 00000010 00000001 | payload | fcs | 01111110
Broadcast Leftover 0x0021 identifies this as an IPv4 datagram. Performs
from CRC
HDLC. similar to
Ethernet.
Can be 16
of 32 bits.

http://www.cisco.com/en/US/docs/internetworking/technology/handbook/PPP.html
http://www.tcpipguide.com/free/t_PointtoPointProtocolPPP.htm

33
PPP Components
 Family of Network Control
Protocols (NCPs) for establishing
and configuring IP, IPX, or
Appletalk.

 Extensible Link Control Protocol

(LCP) to establish, configure, and
test the data link connection.
– Supports authentication, callback,
compression, and multilink

 HDLC for encapsulating

datagrams over point-to-point
links.

34
Link Control Protocol (LCP)
 The LCP establishes, configures, and tests the connection.
– It is responsible for negotiating link establishment on point-to-point links.
– It handles varying limits on packet size
– Detects common mis-configuration errors
– It terminates the link upon user request or the expiration of an inactivity
timer.
– It can test the link to determine if link quality is sufficient to bring up the
link.
– Negotiate authentication parameters
– Negotiate compression parameters
– Negotiate error detection.

35
LCP Operation

Link
establishment

36
Three phases of PPP session establishment
 Phase 1: Link establishment and configuration negotiation
– LCP first opens the connection and negotiates configuration options.
– This phase is complete when the receiving router sends a configuration-
acknowledgment frame back to the router initiating the connection.

“Let’s negotiate.”

37
Three phases of PPP session establishment
 Phase 2: Link quality determination (optional)
– LCP tests the link to determine whether the link quality is sufficient to
bring up network layer protocols.
– LCP can delay transmission of network layer protocol information until
this phase is complete.

“Maybe we should discuss some details about quality. Or, maybe not …”

38
Three phases of PPP session establishment
 Phase 3: Network layer protocol configuration negotiation
– After the LCP has finished the link quality determination phase, the
appropriate NCP can separately configure the network layer protocols,
and bring them up and take them down at any time.
– If the LCP closes the link, it informs the network layer protocols so that
they can take appropriate action.

“Ok, I will leave it to the NCPs to discuss higher level details.”

39
Phase 1: LCP Operation
 PPP can be configured to support various functions including:

Authentication
using either PAP
or CHAP

Using either
Stacker or
Predictor

Combining two or
more channels to
increase the WAN
bandwidth

40
Phase 1: LCP Operation
 To negotiate the use of these PPP options, the Data field of
the LCP link-establishment frame contains an Option
Information field.
– If a configuration option is not included in an LCP frame, the default
value for that configuration option is assumed.

41
Phase 1: LCP - Authentication
Authentication
Used as a security measure
with PPP and PPP callback

 Peer routers exchange authentication messages.

 Two authentication choices:
– Password Authentication Protocol (PAP) configured using the ppp
authentication pap interface configuration command.
– Challenge Handshake Authentication Protocol (CHAP) configured using
the ppp authentication chap interface configuration command.

42
Phase 1: LCP - PPP Callback
Callback
Used to provide call and
dialup billing consolidation

 To enhance security, Cisco IOS Release 11.1 and later offers

callback over PPP.
– With this LCP option, a Cisco router can act as a callback client or a
callback server.
– The client makes the initial call, requests that the server call it back, and
terminates its initial call.
– The callback router answers the initial call and makes the return call to
the client based on its configuration statements.

 PPP Callback is configured using the ppp callback

[accept | request] interface configuration command.

43
Phase 1: PPP Callback

44
Phase 1: LCP - Compression
Compression
Used to improve throughput
across existing lines

 Increases the effective throughput by reducing the amount of

data in the frame.
– The protocol compresses the data at the source and decompresses the
frame at its destination.
– Compression may add latency.
– Two compression protocols are supported: Predictor and Stacker.

45
Phase 1: LCP - Multilink

Multilink
Takes advantage of multiple
bearer channels to improve
throughput

 Cisco IOS Release 11.1 and later supports Multilink PPP.

– Also referred to as MP, MPPP, MLP, or Multilink.

 This alternative provides load balancing over the router

interfaces that PPP uses.
– It provides a method for spreading traffic across multiple physical WAN
links while providing packet fragmentation and reassembly, proper
sequencing, multivendor interoperability, and load balancing on inbound
and outbound traffic.

46
Phase 2: LCP - Link Quality Monitoring
 The ppp quality command ensures that the link meets the
quality requirement set, otherwise the link closes down.
– The percentages are calculated for both incoming and outgoing
directions.

 If the link quality percentage is not maintained, the link is

deemed to be of poor quality and is taken down.
– For example, ppp quality 80 will drop the link if the number of
received packets falls below 80% of the packets sent.

47
Phase 2: LCP - Link Quality Monitoring
 This phase is complete when a configuration acknowledgment
frame has been sent and received.

 After the link has been initiated, the LCP passes control to the
appropriate NCP.

48
Phase 3: NCP Negotiation

NCP
negotiation

49
Phase 3: NCP
 PPP permits multiple network layer protocols to operate on the
same physical link.

 For every network layer protocol used, PPP uses a separate

NCP.
– IP uses the IP Control Protocol (IPCP)
– IPX uses the Novell IPX Control Protocol (IPXCP).

50
More LCP Operation

Link
maintenance

Link
termination

51
2.3 Configuring PPP

Accessing the WAN – Chapter 2

52
Configuring PPP
 Configure PPP in interface configuration mode:
Router(config)# interface s0/0/0
Router(config-if)# encapsulation ppp

 To remove PPP …

Router(config-if)# encapsulation hdlc

 or

Router(config-if)# no encapsulation ppp

53
Verifying a Serial PPP Connection
R1# show interfaces serial 0/0/0
Serial0/0/0 is up, line protocol is up
  Hardware is GT96K Serial
  MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open
  Open: IPCP, CDPCP, loopback not set
  Keepalive set (10 sec)
  Last input 00:00:07, output 00:00:07, output hang never
  Last clearing of "show interface" counters 00:00:11
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/1/32 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 96 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     6 packets input, 76 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     7 packets output, 84 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up 54
Verifying and Troubleshooting

55
Verifying and Troubleshooting
debug ppp {packet | negotiation | error | authentication | compression | cbcp}

Parameter Usage
Displays PPP packets being sent and received. (This command displays low-level
packet
packet dumps.)

Displays PPP packets transmitted during PPP startup, where PPP options are
negotiation
negotiated.

Displays protocol errors and error statistics associated with PPP connection
error
negotiation and operation.

Displays authentication protocol messages, including Challenge Authentication

authentication Protocol (CHAP) packet exchanges and Password Authentication Protocol (PAP)
exchanges.

Displays information specific to the exchange of PPP connections using MPPC.

compression This command is useful for obtaining incorrect packet sequence number
information where MPPC compression is enabled.

Displays protocol errors and statistics associated with PPP connection

cbcp
negotiations using MSCB.

56
debug ppp negotiation Command
R2# debug ppp negotiation

ppp: sending CONFREQ, type = 4 (CI_QUALITYTYPE), value = C025/3E8

ppp: sending CONFREQ, type = 5 (CI_MAGICNUMBER), value = 3D56CAC
ppp: received config for type = 4 (QUALITYTYPE) acked
ppp: received config for type = 5 (MAGICNUMBER) value = 3D567F8 acked (ok)
PPP Serial2: state = ACKSENT fsm_rconfack(C021): rcvd id 5
ppp: config ACK received, type = 4 (CI_QUALITYTYPE), value = C025
ppp: config ACK received, type = 5 (CI_MAGICNUMBER), value = 3D56CAC
ppp: ipcp_reqci: returning CONFACK.
(ok)
PPP Serial2: state = ACKSENT fsm_rconfack(8021): rcvd id 4

 The “ppp: ipcp_reqci: returning CONFACK” means that the

router has agreed on IP parameters and that LCP has been
negotiated successfully.

57
debug ppp packet Command
R2# debug ppp packet

PPP Serial2(o): lcp_slqr() state = OPEN magic = D21B4, len = 48

PPP Serial2(i): pkt type 0xC025, datagramsize 52
PPP Serial2(i): lcp_rlqr() state = OPEN magic = D3454, len = 48
PPP Serial2(i): pkt type 0xC021, datagramsize 16
PPP Serial2: I LCP ECHOREQ(9) id 3 (C) magic D3454
PPP Serial2: input(C021) state = OPEN code = ECHOREQ(9) id = 3 len = 12
PPP Serial2: O LCP ECHOREP(A) id 3 (C) magic D21B4
PPP Serial2(o): lcp_slqr() state = OPEN magic = D21B4, len = 48
PPP Serial2(i): pkt type 0xC025, datagramsize 52
PPP Serial2(i): lcp_rlqr() state = OPEN magic = D3454, len = 48
PPP Serial2(i): pkt type 0xC021, datagramsize 16
PPP Serial2: I LCP ECHOREQ(9) id 4 (C) magic D3454
PPP Serial2: input(C021) state = OPEN code = ECHOREQ(9) id = 4 len = 12
PPP Serial2: O LCP ECHOREP(A) id 4 (C) magic D21B4
PPP Serial2(o): lcp_slqr() state = OPEN magic = D21B4, len = 48
PPP Serial2(i): pkt type 0xC025, datagramsize 52
PPP Serial2(i): lcp_rlqr() state = OPEN magic = D3454, len = 48
PPP Serial2(i): pkt type 0xC021, datagramsize 16
PPP Serial2: I LCP ECHOREQ(9) id 5 (C) magic D3454
PPP Serial2: input(C021) state = OPEN code = ECHOREQ(9) id = 5 len = 12
PPP Serial2: O LCP ECHOREP(A) id 5 (C) magic D21B4
PPP Serial2(o): lcp_slqr() state = OPEN magic = D21B4, len = 48
PPP Serial2(i): pkt type 0xC025, datagramsize 52
PPP Serial2(i): lcp_rlqr() state = OPEN magic = D3454, len = 48
PPP Serial2(i): pkt type 0xC021, datagramsize 16
PPP Serial2: I LCP ECHOREQ(9) id 6 (C) magic D3454
PPP Serial2: input(C021) state = OPEN code = ECHOREQ(9) id = 6 len = 12
PPP Serial2: O LCP ECHOREP(A) id 6 (C) magic D21B4
PPP Serial2(o): lcp_slqr() state = OPEN magic = D21B4, len = 48
PPP Serial2(i): pkt type 0xC025, datagramsize 52
PPP Serial2(i): lcp_rlqr() state = OPEN magic = D3454, len = 48
PPP Serial2(i): pkt type 0xC021, datagramsize 16
PPP Serial2: I LCP ECHOREQ(9) id 7 (C) magic D3454
PPP Serial2: input(C021) state = OPEN code = ECHOREQ(9) id = 7 len = 12
PPP Serial2: O LCP ECHOREP(A) id 7 (C) magic D21B4
PPP Serial2(o): lcp_slqr() state = OPEN magic = D21B4, len = 48 58
debug ppp error Command
R2# debug ppp error

PPP Serial3(i): rlqr receive failure. successes = 15

PPP: myrcvdiffp = 159 peerxmitdiffp = 41091
PPP: myrcvdiffo = 2183 peerxmitdiffo = 1714439
PPP: threshold = 25
PPP Serial2(i): rlqr transmit failure. successes = 15
PPP: myxmitdiffp = 41091 peerrcvdiffp = 159
PPP: myxmitdiffo = 1714439 peerrcvdiffo = 2183
PPP: l->OutLQRs = 1 LastOutLQRs = 1
PPP: threshold = 25
PPP Serial3(i): lqr_protrej() Stop sending LQRs.
PPP Serial3(i): The link appears to be looped back.

59
2.4 PPP Authentication
Protocols

Accessing the WAN – Chapter 2

60
PPP Authentication
 PPP can be configured to authenticate its peer before allowing
Phase 3: NCP.
– RFC 1334, and RFC 1994 define two protocols for authentication.

 Password Authentication Protocol (PAP) is a very basic two-

way process.
– There is no encryption-the username and password are sent in plain text.
– If it is accepted, the connection is allowed.
– Considered obsolete.

 Challenge-Handshake Authentication Protocol (CHAP) is

more secure than PAP.
– It involves a three-way exchange of a shared secret.

61
PPP Authentication
 The authentication phase of a PPP session is optional.

 The authentication options require that the calling side of the

link enter authentication information.
– This helps to ensure that the user has the permission of the network
administrator to make the connection.
– Peer routers exchange authentication messages.

62
PPP Authentication
 A username / password is required and is configured using:
– The local database
• It compares the entry with the username password commands to see
whether the given username / password pair are a match (CHAP or PAP)
– A security server
• TACACS+ or Remote Access Dial-In User Service (RADIUS)

63
PPP Authentication
 The system checks the authentication response sent back
from the security server or local database.
– If it’s a positive response, the access server starts the PPP process.
– If it’s negative, the access server rejects the user immediately.
– If no authentication is configured, the PPP process starts immediately.

64
Configuring PPP with Authentication
ppp authentication {chap | chap pap | pap chap | pap} [if-needed] [list-name | default]
[callin]

Parameter Usage
chap Enables CHAP on a serial interface.

pap Enables PAP on a serial interface.

chap pap Enables both CHAP and PAP, and performs CHAP authentication before PAP.

pap chap Enables both CHAP and PAP, and performs PAP authentication before CHAP.

(Optional) Used with TACACS and XTACACS.

if-needed Do not perform CHAP or PAP authentication if the user has already provided authentication.
This option is available only on asynchronous interfaces.
Used with AAA/TACACS+. Specifies the name of a list of TACACS+ methods of authentication to
list-name use.
(Optional) If no list name is specified, the system uses the default. Lists are created with the aaa
authentication ppp command.

default
Used with AAA/TACACS+. Created with the aaa authentication ppp command.
(Optional)

callin Specifies authentication on incoming (received) calls only.

65
PPP Authentication
 Both PAP and CHAP can simultaneously be enabled on an
interface.
– The first method specified is initially requested during link negotiation.
– If it’s refused, the second method is tried.

66
PAP Authentication
 PAP provides a simple method for a remote node to establish
its identity using a two-way handshake.

 PAP is not interactive.

– When the ppp authentication pap command is used, the
username and password are sent as one LCP data package, rather than
the server sending a login prompt and waiting for a response.

67
PAP Authentication
 PAP is not a strong authentication protocol.
– PAP sends passwords across the link in clear text.
– It can be spoofed to allow playback attacks therefore there is no
protection from playback or repeated trial-and-error attacks.
– The remote node is in control of the frequency and timing of the login
attempts.

 PAP may be used in the following environments:

– A large installed base of client applications that do not support CHAP
– Incompatibilities between different vendor implementations of CHAP

68
PAP Authentication Process
 After PPP completes the link establishment phase, the remote
node repeatedly sends a username-password pair across the
link until the other router acknowledges it or terminates the
connection.

69
PAP Authentication Process
 At the receiving router, the username-password is checked by
the router and it either allows or denies the connection.
– An accept or reject message is returned to the requester.

70
PAP example

71
CHAP Authentication
 Unlike PAP, which only authenticates once, CHAP conducts
periodic challenges to make sure that the remote node still has
a valid password value.
– The password value is variable and changes unpredictably while the link
exists.
– CHAP is more secure because the password is encrypted.

 CHAP requires the same password to be used on both

ends.
– Usernames and passwords are case sensitive.

72
CHAP Authentication
 CHAP provides protection against playback attack by using a
variable challenge value that is unique and unpredictable.

 Because the challenge is unique and random, the resulting

hash value is also unique and random.
– CHAP uses a challenge/response that is based on the MD5 hash
algorithm.
– The use of repeated challenges limits the time of exposure to any single
attack.

 The local router or a third-party authentication server is in

control of the frequency and timing of the challenges.

73
CHAP Authentication Process
 After the PPP link establishment phase is complete, the
remote router sends a challenge message to the other router.

74
CHAP Authentication Process
 The other router responds with a value calculated using a one-
way hash function, which is typically Message Digest 5 (MD5)
based on the password and challenge message.

75
CHAP Authentication Process
 The local router checks the response against its own
calculation of the expected hash value.
– If the values match, the initiating node acknowledges the authentication.
– Otherwise, it immediately terminates the connection.

76
Detailed CHAP Authentication Process
 R1 initially negotiates the link connection using LCP with router
R2 and the two systems agree to use CHAP authentication
during the PPP LCP negotiation.

77
Detailed CHAP Authentication Process
 Router R2 generates an ID and a random number and sends
that plus its username as a CHAP challenge packet to R1.

78
Detailed CHAP Authentication Process
 R1 will use the username of the challenger (R2) and cross
reference it with its local database to find its associated
password.
– R1 will then generate a unique MD5 hash number using the R2's
username, ID, random number and the shared secret password.

79
Detailed CHAP Authentication Process
 Router R1 then sends the challenge ID, the hashed value, and
its username (R1) to R2.

80
Detailed CHAP Authentication Process
 R2 generates it own hash value using the ID, the shared
secret password, and the random number it originally sent to
R1.

81
Detailed CHAP Authentication Process
 Finally, R2 compares its hash value with the hash value sent
by R1.
– If the values are the same, R2 sends a link established response to R1.

82
CHAP example

83
Troubleshooting PPP Authentication
 Explain the output of the debug ppp authentication
command

R2# debug ppp authentication

Serial0: Unable to authenticate. No name received from peer

Serial0: Unable to validate CHAP response. USERNAME pioneer not found.
Serial0: Unable to validate CHAP response. No password defined for USERNAME pioneer
Serial0: Failed CHAP authentication with remote.
Remote message is Unknown name
Serial0: CHAP input code = 4 id = 3 len = 48

84
85