Introduction to PPP on Cisco IOS Router

Hi Rene,

Could you give any practical example for the usage of PPP ?

I am still interested in understanding the usage part for this protocol.

Hi Taran,

A common example nowadays is PPPoA (PPP over ATM) or PPPoE (PPP over Ethernet) that is used for DSL sometimes:

How to configure PPPoA DSL

PPPoE Server

Rene

Hi Rene,

When you say, “This is used for loopback detection”, What do you mean by loopback? Are you saying this just means there is a return path? Is the magic number just a randomly generated hex string?

Matt.

Hi Matt W,

The Magic number is randomly generated and provides a way to detect looped-back links and other Data Link Layer anomalies. This Configuration Option may be required by some other Configuration Options such as the Link-Quality-Monitoring Configuration Option.

When the node sends PPP LCP messages, these messages may include a magic number. If a line is looped, the node receives an LCP message with its own magic number, instead of getting a message with the peer’s magic number.

Now what is looped? For this I give you an example: To test a circuit, the phone company might loop the circuit.This means that the phone company takes the electrical signal sent by the CPE device and sends the same electrical current right back to the same device.
As for routers, they cannot send bits to each other while the link is looped. The router might not notice that the link is looped, because the router is still receiving something over the link! PPP helps the router recognize a looped link quickly

I hope I could answer your question.

How about a PAP example too? I used the following commands:

Username TRINITY password cisco

int s0/0
   encapsulation ppp
   ppp authentication pap
   ppp pap sent-username NEO password cisco

But I get the following error:

AAA/AUTHEN/PPP (0000010F): Pick method list 'default'

Hello Chris

In order for PPP authentication to use the PAP password that you have configured, it is necessary to specify the method by which AAA will occur for PPP. By default, the local database is used, that is the credentials created with the username my_username password my_password command. If that has not been set, then authentication cannot take place. Note that what you have configured about is the “calling” side. The other side must be configured with this username and password.

Cisco has excellent documentation on how to set up the PAP connection for PPP. Take a look at their step by step instructions and their examples, and I believe you should be able to troubleshoot the issue.

Let us know how it goes! I hope this has been helpful!

Laz

Hi Rene
When when authentication fail the router still keep sending authentication request. would it effect to performance of router?

Hello Heng

The resources, CPU power and memory used to send the authentication requests is minimal. It is configured in this way so that if the problem of authentication is on the other end of the link, when it is fixed, the link should come up immediately. It would not affect the performance of the router…

I hope this has been helpful!

Laz

Is this protocol use only connection using serial link ?

Hello Heng

Point to Point Protocol is a data link layer communications protocol It provides authentication transmission encryption and compression. Because it is used on Cisco devices primarily for serial connections, it is often associated with serial, but this is by no means the case. It can be used over many types of physical networks including serial cable, phone line, mobile network, wireless links and fibre optic links such as SONET.

I hope this has been helpful!

Laz

Hello team

When we want to enable serial authentication between two routers via PAP or CHAP, do we have to configure both routers as authenticator and to be authenticated for each one? In your CHAP example configuration could we consider R1 as authenticator and omit the command ppp authentication CHAP in R2 as R2 will be the to be authenticated router? Also even if a router is to be authenticated router, does it need the command ppp authentication PAP / CHAP?

Hello Markos,

This is not required, you can have one-way or two-way authentication. If you use PPP between two sites then usually we use two-way authentication. An ISP often uses one-way authentication just to check the customer username/password.

Here’s an example of one way authentication:

Customer#
interface Serial0/0/0
ip address 192.168.12.1 255.255.255.0
encapsulation ppp
ppp chap hostname CUSTOMER
ppp chap password 0 MY_PASSWORD
ISP#
username CUSTOMER password 0 MY_PASSWORD

interface Serial0/0/0
ip address 192.168.12.2 255.255.255.0
encapsulation ppp
ppp authentication chap

Hope this helps!

Rene

Thank you Rene
Your explanation was indeed very helpful!

Was hoping someone could check my thought process on how PPP works.
The below is from a cisco article.

“Active Discovery Phase—In this phase, the PPPoE client locates a PPPoE server, called an access concentrator. During this phase, a Session ID is assigned and the PPPoE layer is established.”
To me this sound like the active discover phase relies on LCP to do all the work

“PPP Session Phase—In this phase, PPP options are negotiated and authentication is performed. Once the link setup is completed, PPPoE functions as a Layer 2 encapsulation method, allowing data to be transferred over the PPP link within PPPoE headers.”
To me this sounds like the session phase uses a combination of LCP and NCP. LCP being used for option negotiation and authentication and NCP being used for the rest.

Am I on the right track or am I missing anything? Thanks for any help anyone can provide.

Hi Kevin,

These two phases are unique to PPPoE. The RFC provides some details:

https://tools.ietf.org/html/rfc2516

To provide a point-to-point connection over Ethernet, each PPP session must learn the Ethernet address of the remote peer, as well as establish a unique session identifier. PPPoE includes a discovery protocol that provides this.

PPPoE has two distinct stages. There is a Discovery stage and a PPP Session stage. When a Host wishes to initiate a PPPoE session, it must first perform Discovery to identify the Ethernet MAC address of the peer and establish a PPPoE SESSION_ID. While PPP defines a peer-to-peer relationship, Discovery is inherently a client-server relationship. In the Discovery process, a Host (the client) discovers an Access Concentrator (the server). Based on the network topology, there may be more than one Access Concentrator that the Host can communicate with. The Discovery stage allows the Host to discover all Access Concentrators and then select one. When Discovery completes successfully, both the Host and the selected Access Concentrator have the information they will use to build their point-to-point connection over Ethernet.

Rene

Forgive me. Ive never really dealt with serial links before. So why do we care about authentication when it comes to serial links? Why is it important? What exactly is being authenticated? One router is authenticating another router? Is this to prevent rogue routers? Does a Gigabit or Fast Ether router interface not deal with PPP or CHAP authentication?

@jmwalker24 The reason you would care is if you are an ISP. If you are serving customers a DSL connection you want to making sure only paying customers can use your network. Since PPPoE (which uses PPP )is used for DSL connections you can use PAP and CHAP authentication to keep unwanted users off your network. I hope this helps!

Thanks,
Scott Weller

1 Like

Hello Rene and Laz,
I hate to admit this but I am not 100% clear with what happens in PPP chap authentication.

CHAP AUTHENTICATION:
From the lesson Introduction to PPP on Cisco IOS, it says
-On the left side we have a router with hostname R1.
-On the right side we have arouter without a hostname but is has the username R1 password CCNA configured in a local db

R1----------Serial-----------R2

  1. --------Challenge----------> 1st question: What is happening here? Is the challenge also sent as
    hash?
  2. <-------Response-----------
  3. ----------Accept------------->

In order for the above to happen does R1 have to be set up with
ppp authentication chap? Meaning, R1 will be doing the authenticating and R2 is the one that is sending the username and password? Does this mean that when R1 is configured with the ppp authentication chap, it will keep sending a challenge out its Serial port until it receives a response from R2?

PAP Authentication
R1----------Serial-----------R2

  1. <--------Challenge----------
  2. ----------Accept------------->
    In the PAP case that was described in the lesson, does now R2 have to have the ppp authentication chap and R1 use the ppp pap sent-username R1 password CCNA?
    In this case does R1, who is potentially doing the authentication WAIT for R2 to sent the username and password as opposed to sending a challenge in order to trigger a response from R2? Is this the way it works?

I am attaching the images from the Ciscos ICND2 200-101 book for pap and chap respectively. Notice the WAIT ON THE OTHER ROUTER and ASK THE OTHER ROUTER on the illustrations

I am trying to understand how it works and what triggers these two processes. It seems to me that in chap the authenticating router is the one that begins the process and in pap, the router wanting to be authenticated is the one that triggers the process.

Thanks for your help!
–G

Hello G,

In short, no – its not a hash. Challenge contains pseudo randomly generated number. Cisco routers are randomly generating 128 bit number, so it may be missleading because MD5 hash also has 128bits, but this value in challenge frame is just a random number.

This is correct, when you configure “ppp authentication chap” on interface, router starts to send challenge frames out of this interface every 2 seconds. Each challenge frame has increased sequence number and new generated random number (128 bit random number in case of Cisco). The command “ppp authentication chap” tells the router to authenticate the other end of link with CHAP.
On the other hand with PAP and command “ppp authentication pap” we are telling the router to authenticate device on the other end of line with PAP, thus we are requiring PAP from him. In case of PAP, the device, that wants to be authenticated has to generage ppp pap frame and include its credentials in it.

You should edit your pencil notes in the book for CHAP:

  • (1) Challenge! Contains [code = 0x01; sequence ID; random#; challenger name]
  • (2) Response! Contains [code = 0x02; sequence ID; hash; responder name], hash value here is based on [sequence ID; password; random# from Challenge!], the order matters here.
  • (3) Success or Failure! Contains [code; sequence ID]. Code for Success is 0x03, for Failure 0x04, sequence ID is copied from response frame.

Whole 3-way CHAP handshake has same sequence ID in all 3 frames.
You should erase “undoes hash” pencil note. The whole hashing mechanisms are based on the fact that hashing is NOT reversible process. Once we are able to reverse hashing process then the hashing algorithm is no more considered secure. MD5 is not considered secure since 2012.
What router that receives chap response does is that he generates his own MD5 hash based on data from received response [sequence ID; password for reponder name in local database; random# generated for this sequence ID], compares generated MD5 hash with hash received in chap Response, if it is same = Success, if it is different = Failure.

It may be confusing to understand it just from text so for better imagination there is a small lab.
ppp%20authentication
Lets say we want Router1 to authenticate Router2 using CHAP and Router2 wants to authenticate Router1 using PAP.

We start with CHAP. Router1 requires CHAP authentication from Router2.

Router1(config)# interface s1/0
Router1(config-if)# ppp authentication chap

CHAP verifies the identity of the peer using a three-way handshake (means there are 3 frames between peers in total for authentication). Right after PPP LCP is Open and CHAP+MD5 is negotiated for authentication between endpoint devices, following 3 messages happens:

Challenge (message 1, generated by Router1)
Device that requires authenticaion on interface generates challenge message and sends it to the peer.
This challenge message is generated every 2 seconds and contains:

  • 01: challenge frame type identifier code. Challenge has always code 1.
  • ID: sequentially increasing number that identifies the challenge.
  • random: 16 byte pseudo random number generated by the challenger (CHAP requiring device).
  • device name = name of the challenger (CHAP requiring device, in our case Router1).

Response (message 2, generated by Router2)
Device that receives challenge (its the device that has to authenticate). First it has to figure what password to use for authentication.
It can identify required password in two ways.

  • Use specific, manually configured password (by using ppp chap password).
  • Username lookup. If specific username and password, that have to be send are not configured, then device is going to look for “device name” (value received in challenge frame, in our case “Router1”) in its local username database and use password that is associated with that username. As you have this example in Networklessons article Im going to use specific username/password configuration.

Configure specific username and password for CHAP reponse.

Router2(config)# int s1/1                    
Router2(config-if)# ppp chap hostname CHAPclient
Router2(config-if)# ppp chap password CHAPpassword

Now responding device is going to start building string from [ID, configured password, received random#], this string is used as input for MD5 hashing algorithm and final output of hashing algorithm is hash, that is send in response frame.
Response frame has this format.

  • 02: reponse frame type identifier. Response has always code 02.
  • ID: this value is copied from ID field of challenge frame, thus its same to identify each other.
  • hash: contains MD5 hashed value of generated string
  • device name = name of the responding device (in our case CHAPclient, because it was configured to send).

Result (message 3, generated by Router1)
In case authentication fails, a CHAP failure frame is generated and contains:

  • 04: failure identifier. Always code 04.
  • ID: copied from the response frame.

In case we configure username and password for our client.

Router1(config)# username CHAPclient password 0 CHAPpassword
Router1(config)# username CHAPclient autocommand logout

Authentication passes, Success message is generated:

  • 03: success frame identifier. Always code 03.
  • ID: copied from the response frame.

With PAP its pretty straightforward, We want Router2 to authenticate Router1 using PAP, thus we have to create credentials for Router1, just configure username and password.

Router2(config)# username PAPclient password PAPpassword
Router2(config)# username PAPclient autocommand logout
Router2(config)# interface s1/1
Router2(config-if)# ppp authentication pap
Router2(config-if)# end

Right now, Router2 is not doing anything to authenticate Router1, its waiting for Router1 to send its credentials.
Configure Router1 to invoke sending of PAP credentials.

Router1(config)# interface s1/0
Router1(config-if)# ppp pap sent-username PAPclient password PAPpassword
Router1(config-if)# end

Right now are interfaces in up/up state.
PAP is using just 2-way handshake (means there are only two messages in authentication process).

Im including Wireshark capture of CHAP and PAP authentication process, so you can look at it.
PPP Authentication – PAP and CHAP.pcapng (536 Bytes)

  • First 4 frames are for LCP and negotiation of authentication protocol PAP vs CHAP+MD5.
  • Frame 5 and 8 are two PAP messages.
  • Frame 6,7 and 9 are three CHAP messages.
1 Like

Thank you very much fugazz, your explanation really did help.


Here are the updated notes on my book. :slight_smile:
I do have a question though, why would I want to use:
Router1(config)# username CHAPclient autocommand logout ??

–Regards
G