Point to Point Protocol (PPP) Tutorial
PAP and CHAP Configuration
Configure PAP and CHAP is rather easy. First we need to enable PPP encapsulation, then specify if PAP or CHAP will be used with the “ppp authentication pap” or “ppp authentication chap” command.
PAP Configuration
In many CCNA books you will see two routers authenticate each other and their configurations are identical. But we wish you to understand the difference in the configuration of Client and Server. So in this example we only want the Server to authenticate the Client router, not vice versa.
| Client(config)#int s1/0 Client(config-if)#encapsulation ppp Client(config-if)#ppp pap sent-username CLIENT1 password TUT Client(config-if)#no shutdown |
Server(config)#username CLIENT1 password TUT Server(config)#int s1/1 Server(config-if)#encapsulation ppp Server(config-if)#ppp authentication pap Server(config-if)#no shutdown |
Of course we have to enable PPP in both routers first with the “encapsulation ppp” command. Server router is the one who will authenticate when receiving username & password from Client so we need to use the “ppp authentication pap” command to tell the router to authenticate via PAP.
In Server router we also need to create an username and password entry to match the username & password sent from Client with the “username CLIENT1 password TUT” command.
Notice that in Client configuration we can specify a username (CLIENT1) that is different from its hostname (in this case Client) with the “ppp pap sent-username …” command. Client will use CLIENT1 as its username to authenticate with the Server.
If your configuration is correct then you will see the status “up/up” on your serial interfaces.
| Note: Please do not use the “ppp authentication pap” command on Client router as we don’t want the Client to authenticate the Server. If you use this command the PPP link would fail because Server is not configured to send username and password to Client! |
CHAP Configuration
The CHAP configuration is rather similar to the PAP configuration so we will not explain more.
| Client(config)#interface Serial 1/0 Client(config-if)#encapsulation ppp Client(config-if)#ppp chap hostname CLIENT1 Client(config-if)#ppp chap password TUT Client(config-if)#no shutdown |
Server(config)#username CLIENT1 password TUT Server(config)#interface Serial 1/1 Server(config-if)#encapsulation ppp Server(config-if)#ppp authentication chap Server(config-if)#no shutdown |
| Note: Please do not use the “ppp authentication chap” command on Client router as we don’t want the Client to authenticate the Server. If you use this command the PPP link would fail because Server is not configured to send username and password to Client! |
Verification the Serial Encapsulation Configuration
We can use the “show interface <interface>” command to see the configured encapsulation type of that Serial interface and the LCP, NCP states if PPP encapsulation is configured.
Client#show interface s1/0
Serial1/0 is up, line protocol is up
Hardware is M4T
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Open: CDPCP, crc 16, loopback not set
We can see interface Serial1/0 is configured with PPP encapsulation. The LCP state is “open” which means the negotiation and session establishment are good. The “Open: CDPCP” line tells us the NCP is listening for the Cisco Discovery Protocol (CDP) protocol.
An useful debug command to check PPP authentication is the “debug ppp authentication” or “debug ppp negotiation” command.
