Configuring PPP with Authentication

PAP and CHAP

One of the many features of PPP is that it performs Layer 2 authentication in addition to other layers of authentication, encryption, access control, and general security procedures.
Before Network Layer protocols are allowed to transmit over a link, PPP will spell out an extensible link control protocol that will make room for negotiation of an authentication protocol. This is defined in the RFC 1134.
The authentication phase of a PPP session is optional. If used, you can authenticate the peer after the LCP establishes the link and choose the authentication protocol. If it is used, authentication takes place before the Network layer protocol configuration phase begins.

The authentication options require that the calling side of the link enter authentication information. This helps to ensure that the user has the permission of the network administrator to make the call. Peer routers exchange authentication messages

 

SUMMARY
After enabling CHAP or PAP authentication, or both, the local or HQ router requires the remote device to prove its identity before allowing data traffic to flow.
i.  PAP authentication requires the remote device to send a username and password to be checked against a matching entry in the local username database or in the remote TACACS/TACACS+ database.

ii.  CHAP authentication sends a challenge to the remote device. The remote device must encrypt the challenge value with a shared secret and return the encrypted value and its name to the local router in a response message. The local router uses the name of the remote device to look up the appropriate secret in the local username or remote TACACS/TACACS+ database. It uses the looked-up secret to encrypt the original challenge and verify that the encrypted values match.