Configuring PAP and CHAP Authentication

17 Mar

Configuring PAP and CHAP Authentication
The CHAP and PAP protocols are supported on synchronous and asynchronous serial interfaces. When using CHAP or PAP authentication, each router or access server uses a name to identify itself. This identification process prevents a router from placing another call to a router it’s already connected to, and it also prevents unauthorized access. Access control using CHAP or PAP is available on all serial interfaces that use PPP encapsulation. To use the features of PAP and CHAP, perform the following steps:

1.Enable PPP encapsulation on an interface using the interface configuration mode encapsulation ppp command.

2.Enable CHAP or PAP authentication on the interface configured for PPP encapsulation by using the following command in interface configuration mode:

ppp authentication {chap|chap pap|pap chap|pap} [if−needed]
[list−name|default] [callin]

3.Configure the appropriate usernames and passwords using this command:

username name <user−maxlinks link−number> password <secret>

The passwords are case sensitive and must be identical at both ends.

Figure 2.10 lists three users who need secure remote access to the corporate office. The users remotely connect to the corporate network and are authenticated via CHAP. The configuration of the network access server is shown in Listing 2.6.


Figure 2.10: Remote client PPP connection.
Listing 2.6: PPP network access server.

!
hostname Seminole
!
username james password letmein
username admin password admin
username john password cto
!
interface Ethernet0
ip address 192.168.10.1 255.255.255.0
!
interface Group−Async1
encapsulation ppp
async mode interactive
peer default ip address pool remote−users
ppp authentication pap
group−range 1 16
!
ip local pool remote−users 192.168.39.239 192.168.39.254
!
line 1 16
login local
autoselect during−login
autoselect ppp
modem InOut
transport input all

The configuration in Listing 2.6 defines three users with separate passwords. Interface group−assync1 is configured for PPP as the encapsulation protocol, and the method of authentication is PAP. The group−range command under interface group−async1 defines the lines that are part of the group−async1 interface. Notice that PAP was chosen as the authentication protocol; CHAP could have been specified instead using the ppp authentication chap command. In environments that support both PAP and CHAP, the access server attempts to authenticate a user with the first configured authentication method; if that method fails or if the client device does not support the first authentication method, the access server will attempt to use the next configured method. This is accomplished using the following command:

ppp authentication chap pap

However, the example in Listing 2.6 can sometimes become a burden because of the overhead of maintaining a local security database on the network access server. In environments in which there is the potential to have hundreds, maybe even thousands of remote clients connecting to the access server, the local security database method is not feasible because of scalability issues. Fortunately, in environments that use the services of a central security database, like the Cisco Secure ACS server, the authentication process can be offloaded to the Cisco Secure ACS server. As an example, the network access server in Figure 2.10 will be configured to authenticate the users via the AAA security server. Listing 2.7 details the configuration needed to enable authentication via the AAA security server.

Listing 2.7: Remote authentication using TACACS+.

!
hostname Seminole
!
aaa new−model
aaa authentication login default group tacacs+ enable local none
aaa authentication login ADMIN none
aaa authentication ppp default if−needed group tacacs+ −
local enable
!
username admin password admin
!
interface Ethernet0
ip address 192.168.10.1 255.255.255.0
!
interface Serial0:23
no ip address
encapsulation ppp
!
interface Group−Async1
ip unnumbered Ethernet0
encapsulation ppp
ip tcp header−compression passive
async mode interactive
peer default ip address pool IP
ppp callback accept
ppp authentication chap
group−range 1 16
!
ip local pool IP 192.168.10.239 192.168.10.254
!
tacacs−server host 192.168.10.4 single−connection timeout 10 –
key 1Cisco9
!
line con 0
login authentication ADMIN
line 1 16
modem InOut
autoselect during−login
autoselect ppp

This configuration authenticates the remote clients via the TACACS+ server prior to authorizing and accounting the users.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.