PPP Authentication PAP

Ok, I have a simple, but strange one here...

Configuring PPP with PAP and CHAP on two 2600 routers...However, when I use PAP, the line doesn't come up, with CHAP it's fine...

If i change the line "ppp authentication pap" to "ppp authentication chap"...boom, it comes up!!

Configs...

hostname 2610
username 2621 password 0 creamed
!
interface Serial0/0
 ip address 192.168.99.1 255.255.255.252
 no ip directed-broadcast
 encapsulation ppp
 clockrate 64000
 ppp authentication pap

hostname 2621
username 2610 password 0 creamed
!
interface Serial0/0
 ip address 192.168.99.2 255.255.255.252
 no ip directed-broadcast
 encapsulation ppp
 ppp authentication pap

So, as i said if i change the encap from pap to chap, it comes up...am i missing something or is something screwed with routers?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

mikearama

Config looks good.

hey, with chap running, how about turning on debugging, then go back to pap, and we'll see where the process fails...

debug ppp negotiation
debug ppp authentication

Post us up the results... could be interesting.

Mike

mikearama

Ah... different user names. Don't they need to be identical?

IE, you have
username 2621 on one,
and username 2610 on the other.

Match them up.

Or, make sure you have username 2621 AND username 2610 entered on both systems.

Mike

r_durant

Well, remember it works with CHAP...

But i think you should have the username of the remote router on the local router, i think that only the passwords should be identical...So you're saying put both?

Here's a caption of what the debugs outputted from the 2610...it was scrolling too fast for me to capture it from the beginning...

0:55:36: Se0/0 LCP: I CONFREQ [REQsent] id 169 len 14
00:55:36: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:36: Se0/0 LCP:    MagicNumber 0x0416E44D (0x05060416E44D)
00:55:36: Se0/0 LCP: O CONFREJ [REQsent] id 169 len 8
00:55:36: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:36: Se0/0 LCP: I CONFREJ [REQsent] id 58 len 8
00:55:36: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:36: Se0/0 LCP: Failed to negotiate with peer
00:55:36: Se0/0 LCP: State is Closed
00:55:36: Se0/0 PPP: Phase is DOWN
00:55:36: Se0/0 PPP: Phase is ESTABLISHING, Passive Open
00:55:36: Se0/0 LCP: State is Listen
00:55:38: Se0/0 LCP: I CONFREQ [Listen] id 170 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
00:55:38: Se0/0 LCP: O CONFREQ [Listen] id 59 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
00:55:38: Se0/0 LCP: O CONFREJ [Listen] id 170 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: I CONFNAK [REQsent] id 59 len 9
00:55:38: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)
00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 60 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 171 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 171 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: I CONFNAK [REQsent] id 60 len 9
00:55:38: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)
00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 61 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 172 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 172 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: I CONFNAK [REQsent] id 61 len 9
00:55:38: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)
00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 62 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 173 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 173 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: I CONFNAK [REQsent] id 62 len 9
00:55:38: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)
00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 63 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 174 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 174 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: I CONFNAK [REQsent] id 63 len 9
00:55:38: Se0/0 LCP:    AuthProto CHAP (0x0305C22305)
00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 64 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 175 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 175 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: I CONFREJ [REQsent] id 64 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 65 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 176 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 176 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: I CONFREJ [REQsent] id 65 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 66 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 177 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 177 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: I CONFREJ [REQsent] id 66 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 67 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 178 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 178 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: I CONFREJ [REQsent] id 67 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 68 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 179 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 179 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: I CONFREJ [REQsent] id 68 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: O CONFREQ [REQsent] id 69 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0565A768 (0x05060565A76[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
00:55:38: Se0/0 LCP: I CONFREQ [REQsent] id 180 len 14
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP:    MagicNumber 0x0416ECAB (0x05060416ECAB)
00:55:38: Se0/0 LCP: O CONFREJ [REQsent] id 180 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: I CONFREJ [REQsent] id 69 len 8
00:55:38: Se0/0 LCP:    AuthProto PAP (0x0304C023)
00:55:38: Se0/0 LCP: Failed to negotiate with peer
00:55:38: Se0/0 LCP: State is Closed
00:55:38: Se0/0 PPP: Phase is DOWN
00:55:38: Se0/0 PPP: Phase is ESTABLISHING, Passive Open
00:55:38: Se0/0 LCP: State is Listen
00:55:40: Se0/0 LCP: TIMEout: State Listen

r_durant

mikearama wrote:

Ah... different user names. Don't they need to be identical?

IE, you have
username 2621 on one,
and username 2610 on the other.

Match them up.

Or, make sure you have username 2621 AND username 2610 entered on both systems.

Mike

Ok, i put both username/password on each router...no dice

georgemc

On the client side (PAP requires a client and a server) try adding:

PPP PAP SENT-USERNAME <your_hostname> PASSWORD <password>

On the server side use:

USERNAME <remote_hostname> PASSWORD <matching_password>

Let me know how this works out.

George

r_durant

georgemc wrote:

On the client side (PAP requires a client and a server) try adding:

PPP PAP SENT-USERNAME <your_hostname> PASSWORD <password>

On the server side use:

USERNAME <remote_hostname> PASSWORD <matching_password>

Let me know how this works out.

George

Hey George, it still didn't work...

On the client side...

!
interface Serial0/0
 ip address 192.168.99.2 255.255.255.252
 no ip directed-broadcast
 encapsulation ppp
 ppp authentication pap
 ppp pap sent-username 2621 password 7 15100E000D2F3D21
!

Also, I noticed that the client side password is encrypted and the server side isn't, i tried using "..password 0.." for unencrypted, but it still shows as 7-encrypted...

Server side...

username 2621 password 0 believe
!
interface Serial0/0
 ip address 192.168.99.1 255.255.255.252
 no ip directed-broadcast
 encapsulation ppp
 clockrate 64000
 ppp authentication pap

From the 'debug ppp auth', i just get this...just this one line and nothing else...it just seems as though there's no pap authentication traversing the line at all...

01:54:05: Se0/0 PPP: Treating connection as a dedicated line

Long shot, but could it be something to do with the username being all numeric? I'll try changing the hostname to alpha and see what happens...

dtlokee

r_durant wrote:
georgemc wrote:

On the client side (PAP requires a client and a server) try adding:

PPP PAP SENT-USERNAME <your_hostname> PASSWORD <password>

On the server side use:

USERNAME <remote_hostname> PASSWORD <matching_password>

Let me know how this works out.

George

Hey George, it still didn't work...

On the client side...
!
interface Serial0/0
 ip address 192.168.99.2 255.255.255.252
 no ip directed-broadcast
 encapsulation ppp
 ppp authentication pap
 ppp pap sent-username 2621 password 7 15100E000D2F3D21
!
Also, I noticed that the client side password is encrypted and the server side isn't, i tried using "..password 0.." for unencrypted, but it still shows as 7-encrypted...

Server side...
username 2621 password 0 believe
!
interface Serial0/0
 ip address 192.168.99.1 255.255.255.252
 no ip directed-broadcast
 encapsulation ppp
 clockrate 64000
 ppp authentication pap
From the 'debug ppp auth', i just get this...just this one line and nothing else...it just seems as though there's no pap authentication traversing the line at all...
01:54:05: Se0/0 PPP: Treating connection as a dedicated line
Long shot, but could it be something to do with the username being all numeric? I'll try changing the hostname to alpha and see what happens...

You're configuring each router to authenticate the other o you'll need to set the "ppp pap sent-username" command on both sides

georgemc

dtlokee wrote:

You're configuring each router to authenticate the other o you'll need to set the "ppp pap sent-username" command on both sides

DOH!

Yeah, what he said. I was thinking one-way authentication (with the PPP AUTHENTICATION PAP removed on the client side). You'd prefer to use two-way authentication as DT described above.

George

r_durant

Wow...that worked Derek!!

But this has totally thrown me off...it's not mentioned in any of the texts!!

Both texts just have the username/password that is set in global config mode...and skimming thru the texts quickly, i don't even see anything mentioned about "ppp pap sent-username.."

I've got to wonder about these texts sometimes...

So just for those interested, this was the final config on the serial interfaces...

hostname RouterB
!
username RouterA password work
!
interface Serial0/0
 ip address 192.168.99.1 255.255.255.252
 no ip directed-broadcast
 encapsulation ppp
 clockrate 64000
 ppp authentication pap
 ppp pap sent-username RouterB password work  #this password will be displayed encrypted

hostname RouterA
!
username RouterB password work
!
interface Serial0/0
 ip address 192.168.99.2 255.255.255.252
 no ip directed-broadcast
 encapsulation ppp
 ppp authentication pap
 ppp pap sent-username RouterA password work  #this password will be displayed encrypted

dtlokee

Well the explaination is like this: the "ppp authentication pap" on an interface tells the router you want it to authenticate any connection attempts. If you pt this on one router only (in the case of a dial in server for an ISP let's say) that router will request auhentcation from the other router. If you put it on both sides as you did, you're telling both sides to authenticate the other side, this will require the "ppp pap sent-username" on both sides. This is always the case for CHAP, which is mutual authentication and requires both sides authenticate the other side as part of the process.

r_durant

Well, that's understood now...but my thing is, the texts don't mention this!! So i was following what the texts have, and that just to set the remote router's username (hostname) and password in global config and the only other configs were on the serial interface...

The CHAP config worked fine, as stated in the texts, but the PAP was way off...

Has anyone else experience this? or just me?

Cessation

This is great information!

jezg76

Quick question on that command. I've been using dynamips with 2 7200 IOS's configured on each "router". When I do the "ppp authentication pap" on both routers, the link comes up with no "ppp pap sent-username" needed for the link to come up. Is that due to the specific IOS?

Thanks in advance.

NM....I may have been born with a bit of retardation....

I broke it then fixed it the way you smart guys said. I had to shutdown the interface and bring it back up after I removed the previous PAP settings. I still am not 100% sure which commands need you to "shutdown-no shutdown" after making changes....

r_durant

jezg76 wrote:

Quick question on that command. I've been using dynamips with 2 7200 IOS's configured on each "router". When I do the "ppp authentication pap" on both routers, the link comes up with no "ppp pap sent-username" needed for the link to come up.

This is how I originally thought it would work, but it didn't work with the two 2600 series I had...one is 2610 and the other is a 2620...I think they have on IOS 12.0(7)...not sure, would have to verify tomorrow when i get back to work...

Maybe you're right...someone could confirm your question...

In the second part of your post, are you asking what are the commands to shutdown and then enable an interface? If so, then "shutdown" and "no shutdown" should do the trick...