PAP and CHAP Enable PPP encapsulation and PAP authentication

1
PAP and CHAP

• Enable PPP encapsulation and PAP authentication
  with the following commands
• Router(config-if)encapsulation
  pppRouter(config-if)ppp authentication pap.

2
PAP and CHAP

• You must also configure the router with a local
  username/password database, or point it to a
  network host that has that information (such as a
  TACACS server). Without access to a
  username/password database, the router won't know
  which combinations are authorized and will deny
  all login attempts.

3
PAP and CHAP

• You can configure a local username/password
  database by using the following command in global
  configuration mode
• Router(config)username username password
  password.

4
PAP and CHAP

• In some cases, you must also configure a router's
  asynchronous interface to place calls to other
  access servers. If you want to configure an
  interface to respond to a peer's request to
  authenticate with PAP, you must use the ppp pap
  sent-username command
• Router(config-if)ppp pap sent-username username
  password password.

5
Configuring CHAP

• When using CHAP authentication, the access server
  sends a challenge message to the remote node
  after the PPP link is established.
• The remote node responds with a value calculated
  by using a one-way hash function, typically
  Message Digest 5 (MD5). The access server checks
  the response against its own calculation of the
  expected hash value. If the values match, the
  authentication is acknowledged.

6
Configuring CHAP

• Configure PPP and CHAP authentication using the
  following commands
• Router(config-if)encapsulation
  pppRouter(config-if)ppp authentication chap.
• You can enable both PAP and CHAP authentication
  on an interface. The first method specified is
  requested during link negotiation. If the peer
  suggests using the second method or simply
  refuses the first method, then the second method
  will be tried.

7
Configuring CHAP

• This command can be useful, because some remote
  devices support CHAP only and some PAP only. The
  commands are as follows Router(config-if)ppp
  authentication pap chap.
• And, alternately
• Router(config-if)ppp authentication chap pap.

8
PPP Callback

• PPP callback is an LCP option used over dialup
  links. PPP callback provides a client/server
  relationship between the endpoints of a
  point-to-point connection.
• PPP callback allows a dialup client to request
  that a dialup server call the client back. The
  callback feature can be used to control access
  and toll costs between hosts.

9
PPP Callback

• Both routers on a point-to-point link must be
  configured for PPP callback one must function as
  a callback client, and one must be configured as
  a callback server. The callback client must be
  configured to initiate PPP callback requests, and
  the callback server must be configured to accept
  PPP callback requests and place return calls.

10
PPP Callback

• The asynchronous callback feature supports EXEC,
  PPP, and ARAP sessions. The main motivation for
  callback is for telephone bill consolidation and
  dialup cost savings.
• It is not necessarily a security feature
  however, if the callback number is assigned in
  the authentication database, security is enforced
  because callbacks are made only to assigned
  telephone numbers.

11
PPP Callback

• The incoming calls go through the normal login
  process and must pass authentication before
  callback can occur.
• To make callback work properly, you must make
  sure that callback is configured for each
  autoselect protocol that is defined for any given
  remote user. Otherwise, the remote dial-in
  autoselect process may work, but no callback
  occurs.

12
(No Transcript)
13
PPP Callback

• To configure a router as a callback server, use
  the commands shown.
• Server(config)interface async 1Server(config-if)
  ip address 10.1.1.1 255.255.255.0Server(config-i
  f)encapsulation pppServer(config-if)ppp
  authentication chap.

14
PPP Callback

• Note that to use callback, you must also use PPP
  authentication. The asynchronous interface can
  then be configured with basic DDR commands
• Server(config-if)dialer in-bandServer(config-if)
  dialer-group 1

15
PPP Callback

• Finally, PPP callback is configured with these
  commands
• Server(config)username Client password
  itsasecret Server(config)map-class dialer
  DIALBACK Server(config-map-class)dialer
  callback-server username Server(config-map-class)
  exit

16
PPP Callback

• The username command creates an entry for the
  remote host in the Server's local password
  database. The map-class command creates a dialer
  configuration called DIALBACK that can be applied
  to calls on an individual basis with the dialer
  map command.

17
PPP Callback

• In this case, DIALBACK will apply the dialer
  callback-server username command, which enables
  an interface to make return calls when callback
  is successfully negotiated.

18
PPP Callback

• PPP callback configuration is completed by the
  following required commands
• Server(config)interface async 1Server(config-if)
  ppp callback acceptServer(config-if)dialer map
  ip 10.1.1.2 name Client class DIALBACK
  modem-script hayes56k broadcast 5556002.

19
PPP Callback

• The ppp callback accept command enables PPP
  callback. The dialer map statement links the
  callback client's IP address, username, phone
  number, and DIALBACK map class (thus applying the
  dialer callback-server username configuration).
• Note that a dialup interface cannot be configured
  to be both a callback server and a callback
  client simultaneously.

20
PPP Callback

• Server(config-if)dialer callback-secure.
• This command affects those users that are not
  authorized to be called back with the dialer
  callback-server command. If the username (as
  specified in the dialer map command) is not
  authorized for callback, the call will be
  disconnected if the dialer callback-secure
  command is configured.

21
PPP Callback

• If the dialer callback-secure command is not
  configured, the call will not be disconnected. In
  either case, callback has not occurred.

22
Configuring the Callback Client

• Configuring a router as a callback client
  requires the ppp callback request command, as
  shown in Figure 1.

23
(No Transcript)
24
(No Transcript)
25
Data Compression

• PPP can also maximize performance by using data
  compression, which may provide higher data
  throughput across low-speed links.
• Compression is an option that is negotiated by
  LCP.

26
Data Compression

• Trying to compress already compressed data can
  take longer than transferring the data without
  compression.
• Typically, you should only configure compression
  on low-speed links because the router compresses
  data using software, which requires router CPU
  time and memory.

27
Data Compression

• Cisco recommends that you disable compression if
  CPU load exceeds 65 percent. To display the CPU
  load, use the show process cpu command. To
  display memory utilization, use the show
  processes memory command.

28
Data Compression

• Predictor compression is recommended when the
  bottleneck is caused by high load on the router
  Stacker compression is recommended when the
  bottleneck is caused by a line's bandwidth
  limitations.
• Configuring PPP for compression is simple in
  interface configuration mode, issue the compress
  predictor, compress stac, compress mppc, or ip
  tcp header-compression command on both sides of
  the link.

29
Data Compression

• Configure TCP header compression using the
  command ip tcp header-compression. Optionally,
  the ip tcp header-compression passive command
  specifies that TCP header compression is not
  required, but will be used if the router receives
  compressed headers from its link partner.
• You can use the show compress command in
  privileged EXEC mode to view compression
  statistics.

30
PPP MULTILINK

• Multilink PPP (MLP) is an LCP option that
  provides load balancing over multiple interfaces,
  including ISDN, synchronous, and asynchronous
  interfaces.
• MLP can improve throughput and reduce latency
  between systems by splitting Layer 3 packets and
  sending the fragments over parallel circuits.

31
(No Transcript)
32
PPP MULTILINK

• It is important to remember that MLP works by
  splitting packets into fragments, not by
  load-balancing complete packets to a destination.
• Prior to the adoption of MLP there was no
  standardized way to use both of the ISDN BRI B
  channels and ensure proper sequencing.

33
PPP MULTILINK

• Typically, you should use MLP with applications
  in which bandwidth requirements are dynamic, such
  as remote LAN access applications for
  telecommuters or small office, home office (SOHO)
  environments. When user traffic exceeds a
  predefined threshold, an additional physical link
  (such as a B channel) can be brought up to handle
  the burst of traffic.

34
PPP MULTILINK

• The ppp multilink command activates multilink on
  an interface
• Router(config-if)ppp multilink.

35
Verifying and Troubleshooting PPP

• One way to determine whether PAP or CHAP
  authentication succeeded is to use the show
  dialer command. This command can be used to view
  the status of asynchronous dialup connections.
• If the show dialer command output displays the
  name of the remote router, it means that
  authentication was successful, as shown in the
  "Connected to 5551234 (SanJose1)" line in Figure
  1.

36
(No Transcript)
37
Verifying and Troubleshooting PPP

• You can check the show dialer command on both
  routers to verify that the name of the other
  router is displayed. If it is, then you know that
  PAP or CHAP authentication worked. The show
  dialer command output will also indicate whether
  a line is a member of an MLP bundle, as shown in
  Figure 1.
• The debug dialer command can also be used to
  troubleshoot misconfiguration problems.

38
Verifying and Troubleshooting PPP

• The debug ppp negotiation command is an excellent
  tool for troubleshooting the PPP LCP activities
  such as authentication, compression, and MLP.
• When the LCP is in OPEN state, the NCP
  negotiation takes place. For PPP to work, LCP
  options must be negotiated before any NCP
  activities take place.
• The debug ppp negotiation command allows you to
  observe negotiation of the following

39
Verifying and Troubleshooting PPP

• CHAP authentication.
• Compression Control Protocol (CCP).
• NCP protocols IPCP, IPXCP, ATCP, etc.

40
Verifying and Troubleshooting PPP

• When specifically debugging CHAP or PAP
  authentication, the debug ppp authentication
  command can be used in place of debug ppp
  negotiation. The debug ppp authentication command
  gives you the same output as debug ppp
  negotiation, but that output is limited to CHAP
  and PAP authentication events.

41
Verifying and Troubleshooting PPP

• Because debugging output is assigned a high
  priority in the CPU process, it can render the
  system unusable. For this reason, use debug
  commands only to troubleshoot specific problems
  or during troubleshooting sessions with Cisco
  technical support staff.

42
(No Transcript)