3.2 PPP Link Control Protocol Options
3.2.2 PAP and CHAP authentication
With PPP, callers can be authenticated with PAP or CHAP. You may also elect not to carry any authentication. Figure shows the PPP authentication process. 

The flowchart presented in the Figure shows the following PPP authentication process steps:

  1. When a user enters the ppp command, the system determines the type of authentication configured. If no authentication is configured, the PPP process starts immediately. 
  2. Otherwise, the system determines the authentication method to be used and does one of the following:
  • It checks the local database (established with the username password commands) to see whether the given username/password pair are a match (CHAP or PAP).
  • It sends an authentication request to the security server (TACACS+ or Remote Access Dial-In User Service [RADIUS]).
  1. The system checks the authentication response sent back from the security server or local database. If it is a positive response, the access server starts the PPP process. If the result is negative, the access server rejects the user immediately.

PAP and CHAP, both have a two-way process, in which an ID/password pair is repeatedly sent from peer to authenticator until authentication is acknowledged or the connection is terminated. Because the password is in clear text, PAP is not a secure authentication method.

PAP has no protection from playback (with a sniffer connected to the line, you can capture the packet and use it to authenticate your way directly into the network by playing back the captured packet).

For more secure access control, CHAP is recommended as the authentication method. PAP is recommended when it is the only method of authentication that the remote station supports.

CHAP passwords are encrypted when they cross the network, whereas PAP passwords are in clear text. PAP is one-way authentication between a host and an access server, as shown in Figure ; it is two-way authentication between routers.