pap and chap uploaded by sushil sharma

7/29/2019 Pap and Chap Uploaded by Sushil Sharma

http://slidepdf.com/reader/full/pap-and-chap-uploaded-by-sushil-sharma 1/42

PAP and CHAP Enable PPP encapsulation and PAP

authentication with the following

commands:

Router(config-if)#encapsulation ppp

Router(config-if)#ppp authentication

pap.



PAP and CHAP You must also configure the router with

a local username/password database,

or point it to a network host that has thatinformation (such as a TACACS+server). Without access to ausername/password database, the

router won't know which combinationsare authorized and will deny all loginattempts.



PAP and CHAP You can configure a local

username/password database by using

the following command in globalconfiguration mode:

Router(config)#username username

password password.



PAP and CHAP In some cases, you must also configure a

router's asynchronous interface to place calls

to other access servers. If you want toconfigure an interface to respond to a peer's

request to authenticate with PAP, you must

use the ppp pap sent-username command:

Router(config-if)#ppp pap sent-usernameusername password password.



Configuring CHAP When using CHAP authentication, the access

server sends a challenge message to theremote node after the PPP link is established.

The remote node responds with a valuecalculated by using a one-way hash function,typically Message Digest 5 (MD5). The

access server checks the response againstits own calculation of the expected hashvalue. If the values match, the authenticationis acknowledged.



Configuring CHAP Configure PPP and CHAP authentication

using the following commands:

Router(config-if)#encapsulation ppp Router(config-if)#ppp authentication chap.

You can enable both PAP and CHAPauthentication on an interface. The first

method specified is requested during linknegotiation. If the peer suggests using thesecond method or simply refuses the firstmethod, then the second method will be tried.



Configuring CHAP This command can be useful, because

some remote devices support CHAP

only and some PAP only. Thecommands are as follows: Router(config-if)#ppp authenticationpap chap.

And, alternately:

Router(config-if)#ppp authenticationchap pap.



PPP Callback PPP callback is an LCP option used over

dialup links. PPP callback provides a

client/server relationship between theendpoints of a point-to-point connection.

PPP callback allows a dialup client to request

that a dialup server call the client back. The

callback feature can be used to controlaccess and toll costs between hosts.



PPP Callback Both routers on a point-to-point link must be

configured for PPP callback; one must

function as a callback client, and one must beconfigured as a callback server. The callback

client must be configured to initiate PPP

callback requests, and the callback server

must be configured to accept PPP callbackrequests and place return calls.



PPP Callback The asynchronous callback feature supports

EXEC, PPP, and ARAP sessions. The main

motivation for callback is for telephone billconsolidation and dialup cost savings.

It is not necessarily a security feature;

however, if the callback number is assigned

in the authentication database, security isenforced because callbacks are made only to

assigned telephone numbers.



PPP Callback The incoming calls go through the normal

login process and must pass authentication

before callback can occur. To make callback work properly, you must

make sure that callback is configured for

each autoselect protocol that is defined for

any given remote user. Otherwise, the remotedial-in autoselect process may work, but no

callback occurs.



PPP Callback To configure a router as a callback

server, use the commands shown.

Server(config)#interface async 1

Server(config-if)#ip address 10.1.1.1

255.255.255.0

Server(config-if)#encapsulation ppp Server(config-if)#ppp authentication

chap.



PPP Callback Note that to use callback, you must also

use PPP authentication. The

asynchronous interface can then beconfigured with basic DDR commands:

Server(config-if)#dialer in-band

Server(config-if)#dialer-group 1



PPP Callback Finally, PPP callback is configured with these

commands:

Server(config)#username Client passworditsasecret

Server(config)#map-class dialer

DIALBACK

Server(config-map-class)#dialer callback-server username Server(config-map-

class)#exit



PPP Callback The username command creates an

entry for the remote host in the Server's

local password database. The map-class command creates a dialer

configuration called DIALBACK that can

be applied to calls on an individual basiswith the dialer map command.



PPP Callback In this case, DIALBACK will apply the

dialer callback-server username command, which enables an interfaceto make return calls when callback is

successfully negotiated.



PPP Callback PPP callback configuration is completed

by the following required commands:

Server(config)#interface async 1

Server(config-if)#ppp callback accept

Server(config-if)#dialer map ip 10.1.1.2

name Client class DIALBACKmodem-script hayes56k broadcast

5556002.



PPP Callback The ppp callback accept command enables

PPP callback. The dialer map statement

links the callback client's IP address,username, phone number, and DIALBACK

map class (thus applying the dialer callback-

server username configuration).

Note that a dialup interface cannot beconfigured to be both a callback server and a

callback client simultaneously.



PPP Callback Server(config-if)#dialer callback-secure.

This command affects those users that are

not authorized to be called back with thedialer callback-server command. If the

username (as specified in the dialer map

command) is not authorized for callback, the

call will be disconnected if the dialer callback-secure command is configured.



PPP Callback If the dialer callback-secure command

is not configured, the call will not be

disconnected. In either case, callbackhas not occurred.



Configuring the Callback Client Configuring a router as a callback client

requires the ppp callback request command, as shown in Figure 1.



Data Compression PPP can also maximize performance by

using data compression, which may

provide higher data throughput acrosslow-speed links.

Compression is an option that is

negotiated by LCP.



Data Compression Trying to compress already compressed

data can take longer than transferring

the data without compression. Typically, you should only configure

compression on low-speed links

because the router compresses datausing software, which requires router

CPU time and memory.



Data Compression Cisco recommends that you disable

compression if CPU load exceeds 65

percent. To display the CPU load, usethe show process cpu command. To

display memory utilization, use the

show processes memory command.



Data Compression Predictor compression is recommended when

the bottleneck is caused by high load on therouter; Stacker compression is recommendedwhen the bottleneck is caused by a line'sbandwidth limitations.

Configuring PPP for compression is simple: ininterface configuration mode, issue thecompress predictor , compress stac,compress mppc, or ip tcp header-compression command on both sides of thelink.



Data Compression Configure TCP header compression using the

command: ip tcp header-compression.Optionally, the ip tcp header-compressionpassive command specifies that TCP header compression is not required, but will be usedif the router receives compressed headersfrom its link partner.

You can use the show compress commandin privileged EXEC mode to viewcompression statistics.



PPP MULTILINK Multilink PPP (MLP) is an LCP option that

provides load balancing over multiple

interfaces, including ISDN, synchronous, andasynchronous interfaces.

MLP can improve throughput and reduce

latency between systems by splitting Layer 3

packets and sending the fragments over parallel circuits.



PPP MULTILINK It is important to remember that MLP

works by splitting packets into

fragments, not by load-balancingcomplete packets to a destination.

Prior to the adoption of MLP there was

no standardized way to use both of theISDN BRI B channels and ensure

proper sequencing.



PPP MULTILINK Typically, you should use MLP with

applications in which bandwidth requirements

are dynamic, such as remote LAN accessapplications for telecommuters or small office,

home office (SOHO) environments. When

user traffic exceeds a predefined threshold,

an additional physical link (such as a Bchannel) can be brought up to handle the

burst of traffic.



PPP MULTILINK The ppp multilink command activates

multilink on an interface:

Router(config-if)#ppp multilink.



Verifying and Troubleshooting

PPP One way to determine whether PAP or CHAP

authentication succeeded is to use the showdialer command. This command can be usedto view the status of asynchronous dialupconnections.

If the show dialer command output displaysthe name of the remote router, it means thatauthentication was successful, as shown inthe "Connected to 5551234 (SanJose1)" linein Figure 1.




PPP You can check the show dialer command on

both routers to verify that the name of the

other router is displayed. If it is, then youknow that PAP or CHAP authentication

worked. The show dialer command output

will also indicate whether a line is a member

of an MLP bundle, as shown in Figure 1. The debug dialer command can also be

used to troubleshoot misconfiguration

problems.




PPP The debug ppp negotiation command is an

excellent tool for troubleshooting the PPPLCP activities such as authentication,compression, and MLP.

When the LCP is in OPEN state, the NCPnegotiation takes place. For PPP to work,LCP options must be negotiated before anyNCP activities take place.

The debug ppp negotiation commandallows you to observe negotiation of thefollowing:




PPP CHAP authentication.

Compression Control Protocol (CCP).

NCP protocols IPCP, IPXCP, ATCP,

etc.




PPP When specifically debugging CHAP or

PAP authentication, the debug ppp

authentication command can be usedin place of debug ppp negotiation.

The debug ppp authentication

command gives you the same output asdebug ppp negotiation, but that output

is limited to CHAP and PAP

authentication events.




PPP Because debugging output is assigned

a high priority in the CPU process, it can

render the system unusable. For thisreason, use debug commands only to

troubleshoot specific problems or during

troubleshooting sessions with Ciscotechnical support staff.

pap and chap uploaded by sushil sharma

Documents