ppp authentication (BNG)
To enable Challenge Handshake Authentication Protocol (CHAP), MS-CHAP, or Password Authentication Protocol (PAP), and to specify the order in which CHAP, MS-CHAP, and PAP authentication is selected on the interface, use the ppp authentication command in an appropriate configuration mode. To disable PPP authentication, use the no form of this command.
ppp authentication protocol [protocol [protocol] ] {list-name | default}
Syntax Description
protocol |
Name of the authentication protocol used for PPP authentication. See Table 1 for the appropriate keyword. You may select one, two, or all three protocols, in any order. |
list-name |
(Optional) Used with authentication, authorization, and accounting (AAA). Name of a list of methods of authentication to use. If no list name is specified, the system uses the default. The list is created with the aaa authentication ppp command. |
default |
(Optional) Specifies the name of the list of methods created with the aaa authentication ppp command. |
Command Default
PPP authentication is not enabled.
Command Modes
Interface configuration
Dynamic template configuration
Command History
Release |
Modification |
---|---|
Release 3.9.0 |
This command was introduced. |
Release 4.2.0 |
This command was supported in the dynamic template configuration mode for BNG. |
Usage Guidelines
When you enable CHAP or PAP authentication (or both), the local router requires the remote device to prove its identity before allowing data traffic to flow. PAP authentication requires the remote device to send a name and a password, which is checked against a matching entry in the local username database or in the remote security server database. CHAP authentication sends a challenge message to the remote device. The remote device encrypts the challenge value with a shared secret and returns the encrypted value and its name to the local router in a response message. The local router attempts to match the remote device’s name with an associated secret stored in the local username or remote security server database; it uses the stored secret to encrypt the original challenge and verify that the encrypted values match.
You can enable CHAP, MS-CHAP, or PAP in any order. If you enable all three methods, the first method specified is requested during link negotiation. If the peer suggests using the second method, or refuses the first method, the second method is tried. Some remote devices support only one method. Base the order in which you specify methods on the remote device’s ability to correctly negotiate the appropriate method, and on the level of data line security you require. PAP usernames and passwords are sent as clear text strings, which can be intercepted and reused.
To enter the dynamic template configuration mode, run dynamic-template command in the Global Configuration mode.
Note |
If you use a list-name value that was not configured with the aaa authentication ppp command, then authentication does not complete successfully and the line does not come up. |
Table 1 lists the protocols used to negotiate PPP authentication.
Protocol |
Description |
---|---|
chap |
Enables CHAP on an interface. |
ms-chap |
Enables Microsoft’s version of CHAP (MS-CHAP) on an interface. |
pap |
Enables PAP on an interface. |
Enabling or disabling PPP authentication does not affect the ability of the local router to authenticate itself to the remote device.
MS-CHAP is the Microsoft version of CHAP. Like the standard version of CHAP, MS-CHAP is used for PPP authentication. In this case, authentication occurs between a personal computer using Microsoft Windows NT or Microsoft Windows 95 and a Cisco router or access server acting as a network access server.
Enabling or disabling PPP authentication does not affect the local router authenticating itself to the remote device.
Task ID
Task ID |
Operations |
---|---|
ppp |
read, write |
aaa |
read, write |
Examples
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface POS 0/4/0/1
RP/0/RSP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RSP0/CPU0:router(config-if)# ppp authentication chap MIS-access
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# dynamic-template type ppp p1
RP/0/RSP0/CPU0:router(config-dynamic-template-type)# ppp authentication chap ms-chap pap