4.3 PPP Authentication
4.3.1 PAP
The authentication phase of a PPP session is optional. After the link has been established, and the authentication protocol chosen, the peer can be authenticated. If it is used, authentication takes place before the network-layer protocol configuration phase begins.

The authentication options require that the calling side of the link enter authentication information to help ensure that the user has the network administrator's permission to make the call. Peer routers exchange authentication messages.

When configuring PPP authentication, you can select Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP). In general, CHAP is the preferred protocol.

As shown in the Figure, PAP provides a simple method for a remote node to establish its identity, using a two-way handshake. After the PPP link establishment phase is complete, a username/password pair is repeatedly sent by the remote node across the link until authentication is acknowledged or the connection is terminated.

PAP is not a strong authentication protocol. Passwords are sent across the link in clear text, and there is no protection from playback or repeated trial-and-error attacks. The remote node is in control of the frequency and timing of the login attempts.