With PPP, callers can be authenticated
with PAP or CHAP. You may also elect not to carry any
authentication. Figure
shows
the PPP authentication process.
The flowchart presented in the Figure
shows the following PPP authentication process steps:
- When a user enters the ppp
command, the system determines the type of authentication
configured. If no authentication is configured, the PPP process
starts immediately.
- Otherwise, the system determines the
authentication method to be used and does one of the following:
- It checks the local database (established
with the username password commands) to see whether the given
username/password pair are a match (CHAP or PAP).
- It sends an authentication request to the
security server (TACACS+ or Remote Access Dial-In User Service
[RADIUS]).
- The system checks the
authentication response sent back from the security server or
local database. If it is a positive response, the access server
starts the PPP process. If the result is negative, the access
server rejects the user immediately.
PAP and CHAP, both have a two-way process, in
which an ID/password pair is repeatedly sent from peer to
authenticator until authentication is acknowledged or the connection
is terminated. Because the password is in clear text, PAP is not a
secure authentication method.
PAP has no protection from playback (with a
sniffer connected to the line, you can capture the packet and use it
to authenticate your way directly into the network by playing back
the captured packet).
For more secure access control, CHAP is
recommended as the authentication method. PAP is recommended when it
is the only method of authentication that the remote station
supports.
CHAP passwords are encrypted when
they cross the network, whereas PAP passwords are in clear text. PAP
is one-way authentication between a host and an access server, as
shown in Figure ;
it is two-way authentication between routers.
|