The authentication phase of a PPP session is optional. After the link has been
established, and the authentication protocol chosen, the peer can
be authenticated. If it is used, authentication takes place before the
network-layer protocol configuration phase begins.
The authentication options require that
the calling side of the link enter authentication information to help
ensure that the user has the network administrator's permission to
make the call. Peer routers exchange authentication messages.
When configuring PPP authentication,
you can select Password Authentication Protocol (PAP) or Challenge
Handshake Authentication Protocol (CHAP). In general, CHAP is the preferred
protocol.
As shown in the Figure, PAP provides a simple method for a remote node to
establish its identity, using a two-way handshake. After the PPP link
establishment phase is complete, a username/password pair is
repeatedly sent by the remote node across the link until
authentication is acknowledged or the connection is terminated.
PAP is not a strong authentication
protocol. Passwords are sent across the link in clear text, and there
is no protection from playback or repeated trial-and-error attacks.
The remote node is in control of the frequency and timing of the login
attempts.
|