Lab Objective:
The objective of this lab exercise is to configure two routers sharing a back-to-back Serial link encapsulated by PPP to authenticate each other using Password Authentication Protocol (PAP). By default, PPP connections are not authenticated or secured.
Lab Purpose:
PPP PAP authentication configuration is a fundamental skill. One of the main reasons that PPP is so popular is because it has the capability to be secured and devices communicating using PPP can be authenticated. PAP authentication is the least preferred method to secure PPP as it sends usernames and passwords in clear text. However, as a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to configure PPP PAP authentication.
Certification Level:
This lab is suitable for ICND2 and CCNA certification exam preparation.
Lab Difficulty:
This lab has a difficulty rating of 4/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.
Lab Topology:
Please use the following topology to complete this lab exercise:
Task 1:
Configure hostnames on R1 and R2 as illustrated in the topology.
Task 2:
Enable Serial interfaces on R1 and R2. The Serial0/0 interface on R2 is identified as the DCE in the topology. Use the appropriate commands to verify that this interface is indeed the DCE. Configure the DCE interface on R2 to provide clocking to R1. The clock speed should be 768 Kbps. Again, remember that 1 Kbps = 1000 bps. Verify that R1 receives clocking information from R2.
Task 3:
Enable PPP encapsulation on R1 and R2 Seriaol0/0 interfaces. Configure IP addressing on R1 and R2 Serial0/0 interfaces as illustrated in the topology.
Task 4:
Verify your interface encapsulation, which should now be PPP. Test connectivity between R1 and R2 by pinging between the routers.
Task 5:
Configure a username on R1 and R2. The user account should be the hostname of the remote router that will be authenticating with the local device. For example, on R1 the user account that will be used to authenticate router R2 will be R2. The password on both routers should be PAP.
Task 6:
Configure the Serial0/0 interfaces of R1 and R2 for PPP Authentication via PAP. Each router should send its configured hostname as the PAP username, and the configured password PAP should be used for PAP authentication between the routers.
Task 7:
Enable PPP authentication debugging on R1. Next, perform a shutdown command, followed by a no shutdown command, on Serial0/0. Verify that you see the two routers authenticating each other via PPP PAP. Disable debugging when you are done.
Configuration and Verification
Task 1:
For reference information on configuring hostnames, please refer to earlier labs.
Task 2:
For reference information on verifying DTE/DCE status, please refer to earlier labs.
Task 3:
For reference information on enabling PPP and IP addressing, please refer to earlier labs.
Task 4:
For reference information on verifying Serial encapsulation, please refer to earlier labs.
Task 5:
R1#conf t Enter configuration commands, one per line. End with CTRL/Z. R1(config)#username R2 password PAP R1(config)#end R1# R2#conf t Enter configuration commands, one per line. End with CTRL/Z. R2(config)#username R1 password PAP R2(config)#^Z R2#
Task 6:
R1#conf t Enter configuration commands, one per line. End with CTRL/Z. R1(config)#int s0/0 R1(config-if)#ppp authentication pap R1(config-if)#ppp pap sent-username R1 password PAP R1(config-if)#^Z R1# R2#conf t Enter configuration commands, one per line. End with CTRL/Z. R2(config)#interface serial0/0 R2(config-if)#ppp authentication pap R2(config-if)#ppp pap sent-username R2 password PAP R2(config-if)#end R2#
Task 7:
R1#debug ppp authentication PPP authentication debugging is on R1#conf t Enter configuration commands, one per line. End with CTRL/Z. R1(config)#int s0/0 R1(config-if)#shut R1(config-if)# *Mar 1 02:24:04.158: %LINK-5-CHANGED: Interface Serial0/0, changed state to administratively down *Mar 1 02:24:05.159: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down R1(config-if)#no shut R1(config-if)# *Mar 1 02:24:14.943: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up *Mar 1 02:24:14.943: Se0/0 PPP: Using default call direction *Mar 1 02:24:14.943: Se0/0 PPP: Treating connection as a dedicated line *Mar 1 02:24:14.943: Se0/0 PPP: Session handle[BC000002] Session id[4] *Mar 1 02:24:14.943: Se0/0 PPP: Authorization required *Mar 1 02:24:14.951: Se0/0 PAP: Using hostname from interface PAP *Mar 1 02:24:14.951: Se0/0 PAP: Using password from interface PAP *Mar 1 02:24:14.951: Se0/0 PAP: O AUTH-REQ id 2 len 11 from “R1” *Mar 1 02:24:14.951: Se0/0 PAP: I AUTH-REQ id 2 len 11 from “R2” *Mar 1 02:24:14.951: Se0/0 PAP: Authenticating peer R2 *Mar 1 02:24:14.955: Se0/0 PPP: Sent PAP LOGIN Request *Mar 1 02:24:14.955: Se0/0 PPP: Received LOGIN Response PASS *Mar 1 02:24:14.959: Se0/0 PPP: Sent LCP AUTHOR Request *Mar 1 02:24:14.959: Se0/0 PPP: Sent IPCP AUTHOR Request *Mar 1 02:24:14.963: Se0/0 PAP: I AUTH-ACK id 2 len 5 *Mar 1 02:24:14.963: Se0/0 LCP: Received AAA AUTHOR Response PASS *Mar 1 02:24:14.963: Se0/0 IPCP: Received AAA AUTHOR Response PASS *Mar 1 02:24:14.967: Se0/0 PAP: O AUTH-ACK id 2 len 5 *Mar 1 02:24:14.967: Se0/0 PPP: Sent CDPCP AUTHOR Request *Mar 1 02:24:14.971: Se0/0 PPP: Sent IPCP AUTHOR Request *Mar 1 02:24:14.975: Se0/0 CDPCP: Received AAA AUTHOR Response PASS *Mar 1 02:24:15.969: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up R1(config-if)#end *Mar 1 02:24:22.339: %SYS-5-CONFIG_I: Configured from console by console R1# R1#undebug all All possible debugging has been turned off
NOTE: By default, PAP sends usernames and passwords in clear text and is generally generally not considered a secure authentication means for PPP. The recommended and most common means to secure and authenticate via PPP is to use the Challenge Handshake Authentication Protocol (CHAP). In the debug output above, while the password is not shown, you can see the usernames “R1” and “R2” printed.