pap and chap uploaded by sushil sharma
TRANSCRIPT
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 1/42
PAP and CHAP Enable PPP encapsulation and PAP
authentication with the following
commands:
Router(config-if)#encapsulation ppp
Router(config-if)#ppp authentication
pap.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 2/42
PAP and CHAP You must also configure the router with
a local username/password database,
or point it to a network host that has thatinformation (such as a TACACS+server). Without access to ausername/password database, the
router won't know which combinationsare authorized and will deny all loginattempts.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 3/42
PAP and CHAP You can configure a local
username/password database by using
the following command in globalconfiguration mode:
Router(config)#username username
password password.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 4/42
PAP and CHAP In some cases, you must also configure a
router's asynchronous interface to place calls
to other access servers. If you want toconfigure an interface to respond to a peer's
request to authenticate with PAP, you must
use the ppp pap sent-username command:
Router(config-if)#ppp pap sent-usernameusername password password.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 5/42
Configuring CHAP When using CHAP authentication, the access
server sends a challenge message to theremote node after the PPP link is established.
The remote node responds with a valuecalculated by using a one-way hash function,typically Message Digest 5 (MD5). The
access server checks the response againstits own calculation of the expected hashvalue. If the values match, the authenticationis acknowledged.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 6/42
Configuring CHAP Configure PPP and CHAP authentication
using the following commands:
Router(config-if)#encapsulation ppp Router(config-if)#ppp authentication chap.
You can enable both PAP and CHAPauthentication on an interface. The first
method specified is requested during linknegotiation. If the peer suggests using thesecond method or simply refuses the firstmethod, then the second method will be tried.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 7/42
Configuring CHAP This command can be useful, because
some remote devices support CHAP
only and some PAP only. Thecommands are as follows: Router(config-if)#ppp authenticationpap chap.
And, alternately:
Router(config-if)#ppp authenticationchap pap.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 8/42
PPP Callback PPP callback is an LCP option used over
dialup links. PPP callback provides a
client/server relationship between theendpoints of a point-to-point connection.
PPP callback allows a dialup client to request
that a dialup server call the client back. The
callback feature can be used to controlaccess and toll costs between hosts.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 9/42
PPP Callback Both routers on a point-to-point link must be
configured for PPP callback; one must
function as a callback client, and one must beconfigured as a callback server. The callback
client must be configured to initiate PPP
callback requests, and the callback server
must be configured to accept PPP callbackrequests and place return calls.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 10/42
PPP Callback The asynchronous callback feature supports
EXEC, PPP, and ARAP sessions. The main
motivation for callback is for telephone billconsolidation and dialup cost savings.
It is not necessarily a security feature;
however, if the callback number is assigned
in the authentication database, security isenforced because callbacks are made only to
assigned telephone numbers.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 11/42
PPP Callback The incoming calls go through the normal
login process and must pass authentication
before callback can occur. To make callback work properly, you must
make sure that callback is configured for
each autoselect protocol that is defined for
any given remote user. Otherwise, the remotedial-in autoselect process may work, but no
callback occurs.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 12/42
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 13/42
PPP Callback To configure a router as a callback
server, use the commands shown.
Server(config)#interface async 1
Server(config-if)#ip address 10.1.1.1
255.255.255.0
Server(config-if)#encapsulation ppp Server(config-if)#ppp authentication
chap.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 14/42
PPP Callback Note that to use callback, you must also
use PPP authentication. The
asynchronous interface can then beconfigured with basic DDR commands:
Server(config-if)#dialer in-band
Server(config-if)#dialer-group 1
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 15/42
PPP Callback Finally, PPP callback is configured with these
commands:
Server(config)#username Client passworditsasecret
Server(config)#map-class dialer
DIALBACK
Server(config-map-class)#dialer callback-server username Server(config-map-
class)#exit
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 16/42
PPP Callback The username command creates an
entry for the remote host in the Server's
local password database. The map-class command creates a dialer
configuration called DIALBACK that can
be applied to calls on an individual basiswith the dialer map command.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 17/42
PPP Callback In this case, DIALBACK will apply the
dialer callback-server username command, which enables an interfaceto make return calls when callback is
successfully negotiated.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 18/42
PPP Callback PPP callback configuration is completed
by the following required commands:
Server(config)#interface async 1
Server(config-if)#ppp callback accept
Server(config-if)#dialer map ip 10.1.1.2
name Client class DIALBACKmodem-script hayes56k broadcast
5556002.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 19/42
PPP Callback The ppp callback accept command enables
PPP callback. The dialer map statement
links the callback client's IP address,username, phone number, and DIALBACK
map class (thus applying the dialer callback-
server username configuration).
Note that a dialup interface cannot beconfigured to be both a callback server and a
callback client simultaneously.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 20/42
PPP Callback Server(config-if)#dialer callback-secure.
This command affects those users that are
not authorized to be called back with thedialer callback-server command. If the
username (as specified in the dialer map
command) is not authorized for callback, the
call will be disconnected if the dialer callback-secure command is configured.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 21/42
PPP Callback If the dialer callback-secure command
is not configured, the call will not be
disconnected. In either case, callbackhas not occurred.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 22/42
Configuring the Callback Client Configuring a router as a callback client
requires the ppp callback request command, as shown in Figure 1.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 23/42
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 24/42
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 25/42
Data Compression PPP can also maximize performance by
using data compression, which may
provide higher data throughput acrosslow-speed links.
Compression is an option that is
negotiated by LCP.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 26/42
Data Compression Trying to compress already compressed
data can take longer than transferring
the data without compression. Typically, you should only configure
compression on low-speed links
because the router compresses datausing software, which requires router
CPU time and memory.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 27/42
Data Compression Cisco recommends that you disable
compression if CPU load exceeds 65
percent. To display the CPU load, usethe show process cpu command. To
display memory utilization, use the
show processes memory command.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 28/42
Data Compression Predictor compression is recommended when
the bottleneck is caused by high load on therouter; Stacker compression is recommendedwhen the bottleneck is caused by a line'sbandwidth limitations.
Configuring PPP for compression is simple: ininterface configuration mode, issue thecompress predictor , compress stac,compress mppc, or ip tcp header-compression command on both sides of thelink.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 29/42
Data Compression Configure TCP header compression using the
command: ip tcp header-compression.Optionally, the ip tcp header-compressionpassive command specifies that TCP header compression is not required, but will be usedif the router receives compressed headersfrom its link partner.
You can use the show compress commandin privileged EXEC mode to viewcompression statistics.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 30/42
PPP MULTILINK Multilink PPP (MLP) is an LCP option that
provides load balancing over multiple
interfaces, including ISDN, synchronous, andasynchronous interfaces.
MLP can improve throughput and reduce
latency between systems by splitting Layer 3
packets and sending the fragments over parallel circuits.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 31/42
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 32/42
PPP MULTILINK It is important to remember that MLP
works by splitting packets into
fragments, not by load-balancingcomplete packets to a destination.
Prior to the adoption of MLP there was
no standardized way to use both of theISDN BRI B channels and ensure
proper sequencing.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 33/42
PPP MULTILINK Typically, you should use MLP with
applications in which bandwidth requirements
are dynamic, such as remote LAN accessapplications for telecommuters or small office,
home office (SOHO) environments. When
user traffic exceeds a predefined threshold,
an additional physical link (such as a Bchannel) can be brought up to handle the
burst of traffic.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 34/42
PPP MULTILINK The ppp multilink command activates
multilink on an interface:
Router(config-if)#ppp multilink.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 35/42
Verifying and Troubleshooting
PPP One way to determine whether PAP or CHAP
authentication succeeded is to use the showdialer command. This command can be usedto view the status of asynchronous dialupconnections.
If the show dialer command output displaysthe name of the remote router, it means thatauthentication was successful, as shown inthe "Connected to 5551234 (SanJose1)" linein Figure 1.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 36/42
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 37/42
Verifying and Troubleshooting
PPP You can check the show dialer command on
both routers to verify that the name of the
other router is displayed. If it is, then youknow that PAP or CHAP authentication
worked. The show dialer command output
will also indicate whether a line is a member
of an MLP bundle, as shown in Figure 1. The debug dialer command can also be
used to troubleshoot misconfiguration
problems.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 38/42
Verifying and Troubleshooting
PPP The debug ppp negotiation command is an
excellent tool for troubleshooting the PPPLCP activities such as authentication,compression, and MLP.
When the LCP is in OPEN state, the NCPnegotiation takes place. For PPP to work,LCP options must be negotiated before anyNCP activities take place.
The debug ppp negotiation commandallows you to observe negotiation of thefollowing:
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 39/42
Verifying and Troubleshooting
PPP CHAP authentication.
Compression Control Protocol (CCP).
NCP protocols IPCP, IPXCP, ATCP,
etc.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 40/42
Verifying and Troubleshooting
PPP When specifically debugging CHAP or
PAP authentication, the debug ppp
authentication command can be usedin place of debug ppp negotiation.
The debug ppp authentication
command gives you the same output asdebug ppp negotiation, but that output
is limited to CHAP and PAP
authentication events.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 41/42
Verifying and Troubleshooting
PPP Because debugging output is assigned
a high priority in the CPU process, it can
render the system unusable. For thisreason, use debug commands only to
troubleshoot specific problems or during
troubleshooting sessions with Ciscotechnical support staff.
7/29/2019 Pap and Chap Uploaded by Sushil Sharma
http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 42/42