Friday, May 6, 2011

Unidirectional PPP PAP Authentication


Unidirectional PPP PAP authentication configuration on Client:
interface Serial0/0
 ip address 10.10.10.1 255.255.255.252
 encapsulation ppp
 ppp direction callout
 ppp pap sent-username Client password 0 cisco
Note: The ppp authentication pap interface subcommand is not required on Client.

Unidirectional PPP PAP authentication configuration on NAS:
username Client password 0 cisco
!
interface Serial0/0
 ip address 10.10.10.2 255.255.255.252
 encapsulation ppp
 ppp authentication pap [callin]
 ppp direction callin
Note: The callin keyword of the ppp authentication pap interface subcommand is optional

A router configured with the ppp authentication pap interface subcommand will use PAP to verify the identity of the peer, which means that the peer must present its username and password to the local device for verification. The local device would use the local username-based authentication system to verify and authenticate its peer.

The function of the username {remote-username} password {passwd} statement is different for PAP and CHAP. With PAP, it is only used to verify that an incoming username and password are valid; whereas CHAP uses it to generate the response to a challenge and verify a response.

For one-way PAP authentication, the username {remote-hostname} password {passwd} statement is only required on the called device to verify the username and password sent by the calling device; whereas for two-way PAP authentication, it is required on both devices.

A router configured with the ppp authentication pap callin interface subcommand configured will only authenticate the peer during incoming calls – it will not authenticate the peer for outgoing calls.

The ppp pap sent-username {local-username} password {passwd} interface subcommand is configured on the calling device to authenticate itself to a remote called device. The remote device must have the same set of username – password statement configured.

The ppp direction {callin | callout | dedicated} interface subcommand is introduced in Cisco IOS Release 12.2T. This command is useful when a router is connected to an interface type where there is no inherent call direction, eg: a back-to-back or leased-line connection.

Below shows the output of the PPP authentication debug messages for a successful unidirectional PAP authentication on Client:
Client#sh debug
PPP:
  PPP authentication debugging is on
  PPP protocol negotiation debugging is on

Client#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Client(config)#int s1/0
Client(config-if)#no shut
Client(config-if)#
00:07:14: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
00:07:14: Se0/0 PPP: Using configured call direction
00:07:14: Se0/0 PPP: Treating connection as a callout
00:07:14: Se0/0 PPP: Session handle[5A000003] Session id[25]
00:07:14: Se0/0 PPP: Phase is ESTABLISHING, Active Open
00:07:14: Se0/0 PPP: Authorization required
00:07:14: Se0/0 PPP: No remote authentication for call-out
00:07:14: Se0/0 LCP: O CONFREQ [Closed] id 25 len 10
00:07:14: Se0/0 LCP:    MagicNumber 0x0013D707 (0x05060013D707)
00:07:14: Se0/0 LCP: I CONFREQ [REQsent] id 83 len 14
00:07:14: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:07:14: Se0/0 LCP:    MagicNumber 0x0113BFC6 (0x05060113BFC6)
00:07:14: Se0/0 LCP: O CONFACK [REQsent] id 83 len 14
00:07:14: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:07:14: Se0/0 LCP:    MagicNumber 0x0113BFC6 (0x05060113BFC6)
00:07:14: Se0/0 LCP: I CONFACK [ACKsent] id 25 len 10
00:07:14: Se0/0 LCP:    MagicNumber 0x0013D707 (0x05060013D707)
00:07:14: Se0/0 LCP: State is Open
00:07:14: Se0/0 PPP: No authorization without authentication
00:07:15: Se0/0 PPP: Phase is AUTHENTICATING, by the peer
00:07:15: Se0/0 PAP: Using hostname from interface PAP
00:07:15: Se0/0 PAP: Using password from interface PAP
00:07:15: Se0/0 PAP: O AUTH-REQ id 25 len 17 from "Client"
00:07:15: Se0/0 PAP: I AUTH-ACK id 25 len 5
00:07:15: Se0/0 PPP: Phase is FORWARDING, Attempting Forward
00:07:15: Se0/0 PPP: Queue IPCP code[1] id[1]
00:07:15: Se0/0 PPP: Phase is ESTABLISHING, Finish LCP
00:07:15: Se0/0 PPP: Phase is UP
00:07:15: Se0/0 IPCP: O CONFREQ [Closed] id 1 len 10
00:07:15: Se0/0 IPCP:    Address 10.10.10.1 (0x03060A0A0A01)
00:07:15: Se0/0 CDPCP: O CONFREQ [Closed] id 1 len 4
00:07:15: Se0/0 PPP: Process pending ncp packets
00:07:15: Se0/0 IPCP: Redirect packet to Se1/0
00:07:15: Se0/0 IPCP: I CONFREQ [REQsent] id 1 len 10
00:07:15: Se0/0 IPCP:    Address 10.10.10.2 (0x03060A0A0A02)
00:07:15: Se0/0 IPCP: O CONFACK [REQsent] id 1 len 10
00:07:15: Se0/0 IPCP:    Address 10.10.10.2 (0x03060A0A0A02)
00:07:15: Se0/0 CDPCP: I CONFREQ [REQsent] id 1 len 4
00:07:15: Se0/0 CDPCP: O CONFACK [REQsent] id 1 len 4
00:07:15: Se0/0 IPCP: I CONFACK [ACKsent] id 1 len 10
00:07:15: Se0/0 IPCP:    Address 10.10.10.1 (0x03060A0A0A01)
00:07:15: Se0/0 IPCP: State is Open
00:07:15: Se0/0 IPCP: Add link info for cef entry 10.1.1.2
00:07:15: Se0/0 IPCP: Install route to 10.1.1.2
00:07:15: Se0/0 CDPCP: I CONFACK [ACKsent] id 1 len 4
00:07:15: Se0/0 CDPCP: State is Open
00:07:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
Client(config-if)#

Below shows the output of the PPP authentication debug messages for a successful unidirectional PAP authentication on NAS:
NAS#
00:07:08: Se0/0 LCP: I CONFREQ [Listen] id 25 len 10
00:07:08: Se0/0 LCP:    MagicNumber 0x0013D707 (0x05060013D707)
00:07:08: Se0/0 PPP: Authorization required
00:07:08: Se0/0 LCP: O CONFREQ [Listen] id 83 len 14
00:07:08: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:07:08: Se0/0 LCP:    MagicNumber 0x0113BFC6 (0x05060113BFC6)
00:07:08: Se0/0 LCP: O CONFACK [Listen] id 25 len 10
00:07:08: Se0/0 LCP:    MagicNumber 0x0013D707 (0x05060013D707)
00:07:09: Se0/0 LCP: I CONFACK [ACKsent] id 83 len 14
00:07:09: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:07:09: Se0/0 LCP:    MagicNumber 0x0113BFC6 (0x05060113BFC6)
00:07:09: Se0/0 LCP: State is Open
00:07:09: Se0/0 PPP: Phase is AUTHENTICATING, by this end
00:07:09: Se0/0 PAP: I AUTH-REQ id 25 len 17 from "Client"
00:07:09: Se0/0 PAP: Authenticating peer Client
00:07:09: Se0/0 PPP: Phase is FORWARDING, Attempting Forward
00:07:09: Se0/0 PPP: Phase is AUTHENTICATING, Unauthenticated User
00:07:09: Se0/0 PPP: Sent PAP LOGIN Request
00:07:09: Se0/0 PPP: Received LOGIN Response PASS
00:07:09: Se0/0 PPP: Phase is FORWARDING, Attempting Forward
00:07:09: Se0/0 PPP: Phase is AUTHENTICATING, Authenticated User
00:07:09: Se0/0 PPP: Sent LCP AUTHOR Request
00:07:09: Se0/0 PPP: Sent IPCP AUTHOR Request
00:07:09: Se0/0 LCP: Received AAA AUTHOR Response PASS
00:07:09: Se0/0 IPCP: Received AAA AUTHOR Response PASS
00:07:09: Se0/0 PAP: O AUTH-ACK id 25 len 5
00:07:09: Se0/0 PPP: Phase is UP
00:07:09: Se0/0 IPCP: O CONFREQ [Closed] id 1 len 10
00:07:09: Se0/0 IPCP:    Address 10.10.10.2 (0x03060A0A0A02)
00:07:09: Se0/0 PPP: Sent CDPCP AUTHOR Request
00:07:09: Se0/0 PPP: Process pending ncp packets
00:07:09: Se0/0 CDPCP: Received AAA AUTHOR Response PASS
00:07:09: Se0/0 CDPCP: O CONFREQ [Closed] id 1 len 4
00:07:09: Se0/0 IPCP: I CONFREQ [REQsent] id 1 len 10
00:07:09: Se0/0 IPCP:    Address 10.10.10.1 (0x03060A0A0A01)
00:07:09: Se0/0 AAA/AUTHOR/IPCP: Start.  Her address 10.1.1.1, we want 0.0.0.0
00:07:09: Se0/0 PPP: Sent IPCP AUTHOR Request
00:07:09: Se0/0 AAA/AUTHOR/IPCP: Reject 10.1.1.1, using 0.0.0.0
00:07:09: Se0/0 AAA/AUTHOR/IPCP: Done.  Her address 10.1.1.1, we want 0.0.0.0
00:07:09: Se0/0 IPCP: O CONFACK [REQsent] id 1 len 10
00:07:09: Se0/0 IPCP:    Address 10.10.10.1 (0x03060A0A0A01)
00:07:09: Se0/0 CDPCP: I CONFREQ [REQsent] id 1 len 4
00:07:09: Se0/0 CDPCP: O CONFACK [REQsent] id 1 len 4
00:07:09: Se0/0 IPCP: I CONFACK [ACKsent] id 1 len 10
00:07:09: Se0/0 IPCP:    Address 10.10.10.2 (0x03060A0A0A02)
00:07:09: Se0/0 IPCP: State is Open
00:07:09: Se0/0 CDPCP: I CONFACK [ACKsent] id 1 len 4
00:07:09: Se0/0 CDPCP: State is Open
00:07:09: Se0/0 IPCP: Add link info for cef entry 10.1.1.1
00:07:09: Se0/0 IPCP: Install route to 10.1.1.1
00:07:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
NAS#

Below shows the output of the PPP authentication debug messages for a failed unidirection PAP authentication (wrong username - password statement configured on NAS) on Client and NAS:
Client(config-if)#no shut
Client(config-if)#
00:12:38: Se0/0 PPP: Phase is ESTABLISHING, Passive Open
00:12:38: Se0/0 LCP: State is Listen
00:12:38: Se0/0 LCP: State is Open
00:12:38: Se0/0 PPP: No authorization without authentication
00:12:38: Se0/0 PPP: Phase is AUTHENTICATING, by the peer
00:12:38: Se0/0 PAP: Using hostname from interface PAP
00:12:38: Se0/0 PAP: Using password from interface PAP
00:12:38: Se0/0 PAP: O AUTH-REQ id 40 len 17 from "Client"
00:12:39: Se0/0 PAP: I AUTH-NAK id 40 len 26 msg is "Authentication failed"
00:12:39: Se0/0 LCP: I TERMREQ [Open] id 134 len 4
00:12:39: Se0/0 LCP: O TERMACK [Open] id 134 len 4
00:12:39: Se0/0 PPP: Sending Acct Event[Down] id[29]
00:12:39: Se0/0 PPP: Phase is TERMINATING
00:12:41: Se0/0 LCP: TIMEout: State TERMsent
00:12:41: Se0/0 LCP: State is Closed
00:12:41: Se0/0 PPP: Phase is DOWN
--------------------------------------------------
NAS#
00:12:30: Se0/0 PPP: Phase is ESTABLISHING, Passive Open
00:12:30: Se0/0 LCP: State is Listen
00:12:32: Se0/0 LCP: TIMEout: State Listen
00:12:32: Se0/0 PPP: Authorization required
00:12:32: Se0/0 LCP: State is Open
00:12:32: Se0/0 PPP: Phase is AUTHENTICATING, by this end
00:12:32: Se0/0 PAP: I AUTH-REQ id 40 len 17 from "Client"
00:12:32: Se0/0 PAP: Authenticating peer Client
00:12:32: Se0/0 PPP: Phase is FORWARDING, Attempting Forward
00:12:32: Se0/0 PPP: Phase is AUTHENTICATING, Unauthenticated User
00:12:32: Se0/0 PPP: Sent PAP LOGIN Request
00:12:32: Se0/0 PPP: Received LOGIN Response FAIL
00:12:32: Se0/0 PAP: O AUTH-NAK id 40 len 26 msg is "Authentication failed"
00:12:32: Se0/0 PPP: Sending Acct Event[Down] id[28]
00:12:32: Se0/0 PPP: Phase is TERMINATING
00:12:32: Se0/0 LCP: O TERMREQ [Open] id 134 len 4
00:12:33: Se0/0 LCP: I TERMACK [TERMsent] id 134 len 4
00:12:33: Se0/0 LCP: State is Closed
00:12:33: Se0/0 PPP: Phase is DOWN
Posted by Yap Chin Hoong at 1:51 AM
Labels: ,

2 comments:

  1. UnknownJanuary 11, 2013 at 10:53 AM

    really reallygood,thx a lot,After reading this article,I've solved my problem.

    ReplyDelete
  2. UnknownJune 29, 2015 at 6:51 AM

    How did you fix it?

    ReplyDelete

Subscribe to: Post Comments (Atom)