To specify the order in which the CHAP or PAP protocols are requested on the interface, use the ppp authentication interface configuration command. Use the no form of the command to disable this authentication.
ppp authentication {chap | chap pap | pap chap | pap} [if-needed] [list-name | default] [callin]no ppp authentication
Syntax Description
|
chap |
Enables CHAP on a serial interface. |
|
pap |
Enables PAP on a serial interface. |
|
chap pap |
Enables both CHAP and PAP, and performs CHAP authentication before PAP. |
|
pap chap |
Enables both CHAP and PAP, and performs PAP authentication before CHAP. |
|
if-needed |
(Optional) Used with TACACS and XTACACS. Do not perform CHAP or PAP authentication if the user has already provided authentication. This option is available only on asynchronous interfaces. |
|
list-name |
(Optional) Used with AAA/TACACS+. Specifies the name of a list of TACACS+ methods of authentication to use. If no list name is specified, the system uses the default. Lists are created with the aaa authentication ppp command. |
|
default |
(Optional) Used with AAA/TACACS+. Created with the aaa authentication ppp command. |
|
callin |
(Optional) Specifies authentication on incoming (received) calls only. |
Default
PPP authentication is not enabled.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in a release prior to Cisco IOS Release 11.1.
Once you have enabled CHAP or PAP authentication or both, the local router requires the remote device to prove its identity before allowing data traffic to flow.
- PAP authentication requires the remote device to send a name and password
to be checked against a matching entry in the local username database or in
the remote TACACS/TACACS+ database.
- CHAP authentication sends a challenge to the remote device. The remote device must encrypt the challenge value with a shared secret and return the encrypted value and its name to the local router in a response message. The local router uses the remote device's name to look up the appropriate secret in the local username or remote TACACS/TACACS+ database. It uses the looked-up secret to encrypt the original challenge and verify that the encrypted values match.
You may enable PAP or CHAP or both, in either order. If both methods are enabled, then the first method specified will be requested during link negotiation. If the peer suggests using the second method or simply refuses the first method, then the second method will be tried. Some remote devices support CHAP only and some PAP only. The order in which you specify the methods will be based on your concerns about the remote device's ability to correctly negotiate the appropriate method as well as your concern about data line security. PAP usernames and passwords are sent as "clear-text" strings and can be intercepted and reused. CHAP has eliminated most of the known security holes.
Enabling or disabling PPP authentication does not affect the local router's willingness to authenticate itself to the remote device.
 |
If you use a list-name that has not been configured with the aaa authentication ppp command, you disable PPP on this line. |
Example
The following example enables CHAP on asynchronous interface 4, and uses the authentication list MIS-access:
interface async 4 encapsulation ppp ppp authentication chap MIS-access
Related Commands
You can use the master indexes or search online to find documentation of related commands.
aaa authentication ppp
aaa new-model
autoselect
dialer map
encapsulation ppp
ppp use-tacacs
username password