- The Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol packets over point-to-point links. PPP establishes communication in three phases: Link Control Protocol (LCP) phase for link configuration, optional authentication phase using Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP), and Network Control Protocol (NCP) phase for layer 3 configuration. - PAP transmits passwords in clear text, while CHAP uses an encrypted hash to authenticate peers without transmitting passwords. The document provides configuration examples for PPP, PAP, and CHAP authentication between two routers to establish a point-to-point link.

1. POINT-TO-POINT
PROTOCOL (PPP),
PAP & CHAP
WWW.NETPROTOCOLXPERT.IN

2. • The Point-to-Point Protocol (PPP) provides a standard method for transporting multi-
protocol packets over point-to-point links between two peers.
• In order to establish a communication link between two peers, each end of the PPP link must
first send LCP packets to configure and test the data link.
• After the link has been established, the peer may be authenticated (optional). Then, PPP
must send NCP packets to choose and configure one or more network-layer protocols.
• Once each of the chosen network-layer protocols has been configured, datagrams from each
network-layer protocol can be sent over the link.
• The link will remain configured for communications until explicit LCP or NCP packets close
the link down, or until some external event occurs.

3. PPP NEGOTIATION PHASES
• Link Control Protocol (LCP phase): is responsible for establishing, negotiating the configuration,
maintenance and termination of the link. If this phase is successfully completed the router may
proceed to the optional authentication phase then NCP phase.
• Authentication phase: This is an optional states in which peers can authenticate each other using
different methods. In LCP phase the peers will negotiate the authentication protocol if they agree a
series of authentication messages are exchanged to authenticate the identity of the remote side. PPP
defines two authentication protocols PAP and CHAP.
• Network Control Protocol (NCP phase): LCP invokes the network control protocol phase that is
specific for each layer three protocol. NCP negotiates parameters that are unique to that layer 3
protocol. The routers exchange IPCP messages to negotiate the Internet Protocol specific options.
• Each PPP peer sends the IP address of its interface as a /32 route during the IPCP negotiations to its
neighbour.
• PPP supports a lot of features including data compression, Multilink PPP or MLPPP, loop back
detection and link quality monitoring.

4. BASIC PPP CONFIGURATION:
• Router1 is directly connected to Router2 using a back to back serial link.
R1 configuration:
• int s1/1
• encapsulation ppp
• clock rate 128000
• ip address 192.168.12.1 255.255.255.0
• no shut
R2 configuration:
• int s1/1
• encapsulation ppp
• ip address 192.168.12.2 255.255.255.0
• no shut

5. VERIFICATION AND TROUBLESHOOTING:
R1#show interface s1/1
• Serial1/1 is up, line protocol is up
• Hardware is M4T
• Internet address is 192.168.12.1/24
• MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
• reliability 255/255, txload 1/255, rxload 1/255
• Encapsulation PPP, LCP Open
• Open: CDPCP, IPCP, crc 16, loopback not set
• ! -- output omitted--
R1(config-if)#do sh ip route
• Gateway of last resort is not set
• ! -- output omitted--
• 192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
• C 192.168.12.0/24 is directly connected, Serial1/1
• C 192.168.12.2/32 is directly connected, Serial1/1

6. R2(config-if)#do sh ip route
• ! -- output omitted--
• Gateway of last resort is not set
• 192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
• C 192.168.12.0/24 is directly connected, Serial1/2
• C 192.168.12.1/32 is directly connected, Serial1/2

7. • This is the output of the command debug ppp negotiation on R1, showing all PPP stages completed successfully.
• *Mar 2 00:50:28.205: Se1/1 PPP: Outbound cdp packet dropped
• *Mar 2 00:50:28.265: Se1/1 PPP: Outbound cdp packet dropped
• *Mar 2 00:50:28.329: Se1/1 PPP: Outbound cdp packet dropped
• *Mar 2 00:50:29.889: %LINK-3-UPDOWN: Interface Serial1/1, changed state to up
• *Mar 2 00:50:29.901: Se1/1 PPP: Using default call direction
• *Mar 2 00:50:29.905: Se1/1 PPP: Treating connection as a dedicated line
• *Mar 2 00:50:29.909: Se1/1 PPP: Session handle[F9000002] Session id[2]
• *Mar 2 00:50:29.913: Se1/1 PPP: Phase is ESTABLISHING, Active Open
• *Mar 2 00:50:29.917: Se1/1 LCP: O CONFREQ [Closed] id 42 len 10
• *Mar 2 00:50:29.925: Se1/1 LCP: MagicNumber 0x05613817 (0x050605613817)
• *Mar 2 00:50:30.349: Se1/1 LCP: I CONFREQ [REQsent] id 3 len 10
• *Mar 2 00:50:30.349: Se1/1 LCP: MagicNumber 0x0219B40C (0x05060219B40C)
• *Mar 2 00:50:30.353: Se1/1 LCP: O CONFACK [REQsent] id 3 len 10
• *Mar 2 00:50:30.357: Se1/1 LCP: MagicNumber 0x0219B40C (0x05060219B40C)
• *Mar 2 00:50:30.361: Se1/1 LCP: I CONFACK [ACKsent] id 42 len 10
• *Mar 2 00:50:30.365: Se1/1 LCP: MagicNumber 0x05613817 (0x050605613817)
• *Mar 2 00:50:30.369: Se1/1 LCP: State is Open
• *Mar 2 00:50:30.373: Se1/1 PPP: Phase is FORWARDING, Attempting Forward
• *Mar 2 00:50:30.381: Se1/1 PPP: Phase is ESTABLISHING, Finish LCP
• *Mar 2 00:50:30.389: Se1/1 PPP: Phase is UP

8. • *Mar 2 00:50:30.381: Se1/1 PPP: Phase is ESTABLISHING, Finish LCP
• *Mar 2 00:50:30.389: Se1/1 PPP: Phase is UP
• *Mar 2 00:50:30.389: Se1/1 IPCP: O CONFREQ [Closed] id 1 len 10
• *Mar 2 00:50:30.393: Se1/1 IPCP: Address 192.168.12.1 (0x0306C0A80C01)
• *Mar 2 00:50:30.397: Se1/1 CDPCP: O CONFREQ [Closed] id 1 len 4
• *Mar 2 00:50:30.405: Se1/1 PPP: Process pending ncp packets
• *Mar 2 00:50:30.417: Se1/1 IPCP: I CONFREQ [REQsent] id 1 len 10
• *Mar 2 00:50:30.421: Se1/1 IPCP: Address 192.168.12.2 (0x0306C0A80C02)
• *Mar 2 00:50:30.425: Se1/1 IPCP: O CONFACK [REQsent] id 1 len 10
• *Mar 2 00:50:30.425: Se1/1 IPCP: Address 192.168.12.2 (0x0306C0A80C02)
• *Mar 2 00:50:30.429: Se1/1 IPCP: I CONFACK [ACKsent] id 1 len 10
• *Mar 2 00:50:30.433: Se1/1 IPCP: Address 192.168.12.1 (0x0306C0A80C01)
• *Mar 2 00:50:30.433: Se1/1 IPCP: State is Open
• *Mar 2 00:50:30.449: Se1/1 IPCP: Install route to 192.168.12.2
• *Mar 2 00:50:30.465: Se1/1 IPCP: Add link info for cef entry 192.168.12.2
• *Mar 2 00:50:30.485: Se1/1 CDPCP: I CONFREQ [REQsent] id 1 len 4
• *Mar 2 00:50:30.489: Se1/1 CDPCP: O CONFACK [REQsent] id 1 len 4
• *Mar 2 00:50:30.493: Se1/1 CDPCP: I CONFACK [ACKsent] id 1 len 4
• *Mar 2 00:50:30.493: Se1/1 CDPCP: State is Open

9. PAP
• PPP has two different authentication methods.
• PAP stands for Password Authentication Protocol which is a simple authentication method.
• PAP is considered an insecure method because the password is sent in clear text format over the PPP
link and has no protection to replay and brute force attacks.
• During the LCP phase both ends can negotiate the use of specific authentication protocol; if it was
successful and LCP is completed a series of authentication messages are exchanged to identify the
remote end.
• In our example R1 will request R2 to authenticate itself, if R2 agrees to the request it will send both a
username and a password to R1. R1 will check the credentials received from R2 against one of its
configured username and passwords pairs or AAA servers, if a match exist the authentication phase
is completed successfully and the routers start NCP negotiations.

10. R1 AND R2 CONFIGURATION
• R1(config)#username NPX password CISCO
• R1(config)#int s1/1
• R1(config-if)#encap ppp
• R1(config-if)#ppp authentication pap
• !---- Router2 configuration---
• R2(config)#int s1/2
• R2(config-if)#encap ppp
• R2(config-if)#ppp pap sent-username NPX password CISCO

11. OPERATION VERIFICATION
OUTPUT OF DEBUG PPP NEGOTIATION ON R1
• !-- LCP is negotiating PAP protocol
• *Mar 3 00:06:16.868: Se1/1 LCP: O CONFREQ [Closed] id 131 len 14
• *Mar 3 00:06:16.868: Se1/1 LCP: AuthProto PAP (0x0304C023)
• *Mar 3 00:06:16.872: Se1/1 LCP: MagicNumber 0x0A5F39F9 (0x05060A5F39F9)
• *Mar 3 00:06:17.240: Se1/1 LCP: I CONFREQ [REQsent] id 175 len 10
• *Mar 3 00:06:17.240: Se1/1 LCP: MagicNumber 0x0717965F (0x05060717965F)
• *Mar 3 00:06:17.244: Se1/1 LCP: O CONFACK [REQsent] id 175 len 10
• *Mar 3 00:06:17.248: Se1/1 LCP: MagicNumber 0x0717965F (0x05060717965F)
• *Mar 3 00:06:17.252: Se1/1 LCP: I CONFACK [ACKsent] id 131 len 14
• *Mar 3 00:06:17.256: Se1/1 LCP: AuthProto PAP (0x0304C023)
• *Mar 3 00:06:17.256: Se1/1 LCP: MagicNumber 0x0A5F39F9 (0x05060A5F39F9)
• *Mar 3 00:06:17.260: Se1/1 LCP: State is Open

12. • !-- Authentication Phase Begins
• *Mar 3 00:06:17.260: Se1/1 PPP: Phase is AUTHENTICATING, by this end
• *Mar 3 00:06:17.532: Se1/1 PAP: I AUTH-REQ id 2 len 18 from “NPX"
• *Mar 3 00:06:17.536: Se1/1 PAP: Authenticating peer ROUTER2
• *Mar 3 00:06:17.536: Se1/1 PPP: Phase is FORWARDING, Attempting Forward
• *Mar 3 00:06:17.544: Se1/1 PPP: Phase is AUTHENTICATING, Unauthenticated User
• *Mar 3 00:06:17.556: Se1/1 PPP: Phase is FORWARDING, Attempting Forward
• *Mar 3 00:06:17.564: Se1/1 PPP: Phase is AUTHENTICATING, Authenticated User
• *Mar 3 00:06:17.580: Se1/1 PAP: O AUTH-ACK id 2 len 5
• *Mar 3 00:06:17.584: Se1/1 PPP: Phase is UP

13. • Note: R2 may refuse to use PAP for authentication using the command ppp pap
refuse. find below debug output from R1 after applying this command or R2
• *Mar 3 00:26:40.251: Se1/1 LCP: O CONFREQ [ACKsent] id 153 len 14
• *Mar 3 00:26:40.251: Se1/1 LCP: AuthProto PAP (0x0304C023)
• *Mar 3 00:26:40.251: Se1/1 LCP: MagicNumber 0x0A71E3C5 (0x05060A71E3C5)
• *Mar 3 00:26:40.271: Se1/1 LCP: I CONFREJ [ACKsent] id 153 len 8
• *Mar 3 00:26:40.275: Se1/1 LCP: AuthProto PAP (0x0304C023)

14. CHAP
• The second and the most secure authentication method in PPP is CHAP. CHAP stands for challenge
Handshake Authentication Protocol.
• If CHAP is negotiated successfully during the LCP phase, the authenticator sends a challenge message
to the peer.
• The peer responds to the challenge with a value calculated through an MD5 function. The
authenticator then verifies the received value against its own calculated value. If they match the
authentication is successful.
• In our example R1 is the authenticator and R2 is the authenticated peer. R1 will send a challenge to
R2; R2 will calculate a response to the challenge from the challenge parameters and the username,
password pair configured on R2 for R1.
• When R1 receives the response it verifies it against its own calculated value, if matches authentication
is successful. For a detailed description of this process check out understanding and configuring PPP
CHAP authentication.

15. R1 and R2 configuration:
• R1(config)#username R2 password CISCO
• R1(config)#int s1/1
• R1(config-if)#ppp authentication chap
• R2(config)#username R1 password CISCO

16. • This time I have removed time stamps from the debug command to make it cleaner
R1#debug ppp negotiation
• Se1/1 PPP: Phase is ESTABLISHING, Active Open
• Se1/1 LCP: O CONFREQ [Closed] id 14 len 15
• Se1/1 LCP: AuthProto CHAP (0x0305C22305)
• Se1/1 LCP: MagicNumber 0x0A98E027 (0x05060A98E027)
• Se1/1 LCP: I CONFREQ [REQsent] id 5 len 10
• Se1/1 LCP: MagicNumber 0x07513B3D (0x050607513B3D)
• Se1/1 LCP: O CONFACK [REQsent] id 5 len 10
• Se1/1 LCP: MagicNumber 0x07513B3D (0x050607513B3D)
• Se1/1 LCP: I CONFACK [ACKsent] id 14 len 15
• Se1/1 LCP: AuthProto CHAP (0x0305C22305)
• Se1/1 LCP: MagicNumber 0x0A98E027 (0x05060A98E027)
• Se1/1 LCP: State is Open

17. Configuration Notes:
• Each router must have a username/password command with the username
configured as the hostname (Case sensitive) of its peer.
• You can change the username (hostname by default) sent by the CHAP process using
the command ppp chap hostname and the password using the command ppp chap
password under the interface configuration mode.
• R2 can be configured to refuse the CHAP authentication request using the
command ppp chap refuse.