PPP Commands on Cisco IOS XR Software
This module describes the commands used to configure the Point-to-Point Protocol (PPP), an encapsulation scheme that can be used on Packet-over-SONET (POS), serial, and multilink interfaces on the Cisco IOS XR software.
PPP is a standard protocol used to send data over synchronous serial links. PPP also provides a Link Control Protocol (LCP) for negotiating properties of the link. LCP uses echo requests and responses to monitor the continuing availability of the link.
PPP provides the following Network Control Protocols (NCPs) for negotiating properties of data protocols that will run on the link:
•Cisco Discovery Protocol Control Protocol (CDPCP) to negotiate CDP properties
•IP Control Protocol (IPCP) to negotiate IP properties
•IP Version 6 Control Protocol (IPv6CP) to negotiate IPv6 properties
•Multiprotocol Label Switching Control Protocol (MPLSCP) to negotiate MPLS properties
•Open System Interconnection Control Protocol (OSICP) to negotiate OSI properties
encapsulation ppp
To enable encapsulation for communication with routers or bridges using the Point-to-Point Protocol (PPP), use the encapsulation ppp command in interface configuration mode. To disable PPP encapsulation, use the no form of this command.
encapsulation ppp
no encapsulation ppp
Syntax Description
This command has no arguments or keywords.
Defaults
PPP encapsulation is disabled.
Command Modes
Interface configuration
Command History
|
|
Release 2.0 |
This command was first introduced on the Cisco CRS-1 router. |
Release 3.0 |
No modification. |
Release 3.2 |
This command was first supported on the Cisco XR 12000 Series Router. |
Release 3.3.0 |
No modification. |
Release 3.4.0 |
No modification. |
Release 3.5.0 |
No modification. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, your Cisco IOS XR software system administrator must assign you to a user group associated with a task group that includes the corresponding command task IDs. If you need assistance with your task group assignment, contact your system administrator. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
Use the encapsulation ppp command to enable PPP encapsulation on an interface.
|
|
ppp |
read, write |
interface |
read, write |
Examples
The following example shows how to set up PPP encapsulation on interface POS 0/1/0/1:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface POS 0/1/0/1
RP/0/RP0/CPU0:router(config-if)# encapsulation ppp
Related Commands
ppp authentication
To enable Challenge Handshake Authentication Protocol (CHAP), MS-CHAP, or Password Authentication Protocol (PAP), and to specify the order in which CHAP, MS-CHAP, and PAP authentication is selected on the interface, use the ppp authentication command in interface configuration mode. To disable PPP authentication, use the no form of this command.
ppp authentication protocol [protocol [protocol]] [list-name | default]
no ppp authentication
Syntax Description
protocol |
Name of the authentication protocol used for PPP authentication. See Table 86 for the appropriate keyword. You may select one, two, or all three protocols, in any order. |
list-name |
(Optional) Used with authentication, authorization, and accounting (AAA). Name of a list of methods of authentication to use. If no list name is specified, the system uses the default. The list is created with the aaa authentication ppp command. |
default |
(Optional) Specifies the name of the list of methods created with the aaa authentication ppp command. |
Defaults
PPP authentication is not enabled.
Command Modes
Interface configuration
Command History
|
|
Release 2.0 |
This command was first introduced on the Cisco CRS-1 router. |
Release 3.0 |
No modification. |
Release 3.2 |
This command was first supported on the Cisco XR 12000 Series Router. This command was corrected to include the possibility of specifying three protocols simultaneously. |
Release 3.3.0 |
No modification. |
Release 3.4.0 |
No modification. |
Release 3.5.0 |
No modification. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, your Cisco IOS XR software system administrator must assign you to a user group associated with a task group that includes the corresponding command task IDs. If you need assistance with your task group assignment, contact your system administrator. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
When you enable CHAP or PAP authentication (or both), the local router requires the remote device to prove its identity before allowing data traffic to flow. PAP authentication requires the remote device to send a name and a password, which is checked against a matching entry in the local username database or in the remote security server database. CHAP authentication sends a challenge message to the remote device. The remote device encrypts the challenge value with a shared secret and returns the encrypted value and its name to the local router in a response message. The local router attempts to match the remote device's name with an associated secret stored in the local username or remote security server database; it uses the stored secret to encrypt the original challenge and verify that the encrypted values match.
You can enable CHAP, MS-CHAP, or PAP in any order. If you enable all three methods, the first method specified is requested during link negotiation. If the peer suggests using the second method, or refuses the first method, the second method is tried. Some remote devices support only one method. Base the order in which you specify methods on the remote device's ability to correctly negotiate the appropriate method, and on the level of data line security you require. PAP usernames and passwords are sent as clear text strings, which can be intercepted and reused.
Note If you use a list-name value that was not configured with the aaa authentication ppp command, then authentication does not complete successfully and the line does not come up.
Table 86 lists the protocols used to negotiate PPP authentication.
Table 86 PPP Authentication Protocols for Negotiation
|
|
chap |
Enables CHAP on an interface. |
ms-chap |
Enables Microsoft's version of CHAP (MS-CHAP) on an interface. |
pap |
Enables PAP on an interface. |
Enabling or disabling PPP authentication does not affect the ability of the local router to authenticate itself to the remote device.
MS-CHAP is the Microsoft version of CHAP. Like the standard version of CHAP, MS-CHAP is used for PPP authentication. In this case, authentication occurs between a personal computer using Microsoft Windows NT or Microsoft Windows 95 and a Cisco router or access server acting as a network access server.
Enabling or disabling PPP authentication does not affect the local router authenticating itself to the remote device.
|
|
ppp |
read, write |
aaa |
read, write |
Examples
In the following example, CHAP is enabled on POS 0/4/0/1 and uses the authentication list MIS-access:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface POS 0/4/0/1
RP/0/RP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RP0/CPU0:router(config-if)# ppp authentication chap MIS-access
Related Commands
|
|
aaa authentication ppp |
Specifies one or more AAA authentication methods for use on serial interfaces running PPP. |
encapsulation |
Sets the encapsulation method used by the interface. |
username |
Configures a new user with a username, establishes a password, and grants permissions for the user. |
ppp chap password
To enable a router calling a collection of routers to configure a common Challenge Handshake Authentication Protocol (CHAP) secret password, use the ppp chap password command in interface configuration mode. To disable the password, use the no form of this command.
ppp chap password [clear | encrypted] password
no ppp chap password [clear | encrypted] password
Syntax Description
clear |
(Optional) Specifies the cleartext encryption parameter for the password. |
encrypted |
(Optional) Indicates that the password is already encrypted. |
password |
Cleartext or already-encrypted password. |
Defaults
The password is disabled.
Command Modes
Interface configuration
Command History
|
|
Release 2.0 |
This command was first introduced on the Cisco CRS-1 router. |
Release 3.0 |
No modification. |
Release 3.2 |
This command was first supported on the Cisco XR 12000 Series Router. |
Release 3.3.0 |
No modification. |
Release 3.4.0 |
No modification. |
Release 3.5.0 |
No modification. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, your Cisco IOS XR software system administrator must assign you to a user group associated with a task group that includes the corresponding command task IDs. If you need assistance with your task group assignment, contact your system administrator. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
The ppp chap password command is sent in CHAP responses and is used by the peer to authenticate the local router. This does not affect local authentication of the peer. This command is useful for routers that do not support this command (such as routers running older Cisco IOS XR software images).
The CHAP secret password is used by the routers in response to challenges from an unknown peer.
|
|
ppp |
read, write |
aaa |
read, write |
Examples
In the following example, a password (xxxx) is entered as a cleartext password:
RP/0/RP0/CPU0:router(config-if)# ppp chap password xxxx
When the password is displayed (as shown in the following example, using the show running-config command), the password xxxx appears as 030752180500:
RP/0/RP0/CPU0:router(config)# show running-config interface POS 1/0/1/0
description Connected to P1_CRS-8 POS 0/1/4/3
ipv4 address 10.12.32.2 255.255.255.0
ppp authentication chap pap
ppp chap password encrypted 030752180500
On subsequent logins, entering any of the three following commands would have the same effect of making xxxx the password for remote CHAP authentication:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface POS 1/0/1/0
RP/0/RP0/CPU0:router(config-if)# ppp chap password xxxx
RP/0/RP0/CPU0:router(config-if)# ppp chap password clear xxxx
RP/0/RP0/CPU0:router(config-if)# ppp chap password encrypted 1514190900
Related Commands
|
|
aaa authentication ppp |
Specifies one or more authentication, authorization, and accounting (AAA) methods for use on serial interfaces running PPP. |
ppp authentication |
Enables CHAP, MS-CHAP, or PAP, and specifies the order in which CHAP, MS-CHAP, and PAP authentication is selected on the interface. |
ppp chap refuse |
Refuses CHAP authentication from peers requesting it. |
ppp max-bad-auth |
Configures a PPP interface not to reset itself immediately after an authentication failure but instead to allow a specified number of authentication retries. |
show running-config |
Displays the contents of the currently running configuration file or the configuration for a specific interface, or map class information. |
ppp chap refuse
To refuse Challenge Handshake Authentication Protocol (CHAP) authentication from peers requesting it, use the ppp chap refuse command in interface configuration mode. To allow CHAP authentication, use the no form of this command.
ppp chap refuse
no ppp chap refuse
Syntax Description
This command has no arguments or keywords.
Defaults
CHAP authentication is disabled.
Command Modes
Interface configuration
Command History
|
|
Release 2.0 |
This command was first introduced on the Cisco CRS-1 router. |
Release 3.0 |
No modification. |
Release 3.2 |
This command was first supported on the Cisco XR 12000 Series Router. |
Release 3.3.0 |
No modification. |
Release 3.4.0 |
No modification. |
Release 3.5.0 |
No modification. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, your Cisco IOS XR software system administrator must assign you to a user group associated with a task group that includes the corresponding command task IDs. If you need assistance with your task group assignment, contact your system administrator. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
The ppp chap refuse command specifies that CHAP authentication is disabled for all calls, meaning that all attempts by the peer to force the user to authenticate using CHAP are refused.
If outbound Password Authentication Protocol (PAP) has been configured (using the ppp authentication command), PAP is suggested as the authentication method in the refusal packet.
|
|
ppp |
read, write |
aaa |
read, write |
Examples
The following example shows how to specify POS interface 0/3/0/1 and disable CHAP authentication from occurring if a peer calls in requesting CHAP authentication. The method of encapsulation on the interface is PPP.
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface POS 0/3/0/1
RP/0/RP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RP0/CPU0:router(config-if)# ppp chap refuse
Related Commands
|
|
aaa authentication ppp |
Specifies one or more authentication, authorization, and accounting (AAA) methods for use on serial interfaces running PPP. |
ppp authentication |
Enables CHAP, MS-CHAP, or PAP, and specifies the order in which CHAP, MS-CHAP, and PAP authentication is selected on the interface. |
ppp max-bad-auth |
Configures a PPP interface not to reset itself immediately after an authentication failure but instead to allow a specified number of authentication retries. |
ppp pap sent-username password |
Enables remote PAP support for an interface, and includes the sent-username and password commands in the PAP authentication request packet to the peer. |
ppp max-bad-auth
To configure a PPP interface not to reset itself immediately after an authentication failure but instead to allow a specified number of authentication retries, use the ppp max-bad-auth command in interface configuration mode. To reset to the default of immediate reset, use the no form of this command.
ppp max-bad-auth retries
no ppp max-bad-auth
Syntax Description
retries |
Number of retries after which the interface is to reset itself. Range is from 0 to 10. Default is 0 retries. |
Defaults
retries: 0
Command Modes
Interface configuration
Command History
|
|
Release 2.0 |
This command was first introduced on the Cisco CRS-1 router. |
Release 3.0 |
No modification. |
Release 3.2 |
This command was first supported on the Cisco XR 12000 Series Router. |
Release 3.3.0 |
No modification. |
Release 3.4.0 |
No modification. |
Release 3.5.0 |
No modification. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, your Cisco IOS XR software system administrator must assign you to a user group associated with a task group that includes the corresponding command task IDs. If you need assistance with your task group assignment, contact your system administrator. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
The ppp max-bad-auth command applies to any interface on which PPP encapsulation is enabled.
|
|
ppp |
read, write |
aaa |
read, write |
Examples
In the following example, POS interface 0/3/0/1 is set to allow two additional retries after an initial authentication failure (for a total of three failed authentication attempts):
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface POS 0/3/0/1
RP/0/RP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RP0/CPU0:router(config-if)# ppp authentication chap
RP/0/RP0/CPU0:router(config-if)# ppp max-bad-auth 3
Related Commands
|
|
ppp authentication |
Enables CHAP, MS-CHAP, or PAP, and specifies the order in which CHAP, MS-CHAP, and PAP authentication is selected on the interface. |
ppp chap password |
Enables a router calling a collection of routers that do not support this command (such as routers running older Cisco IOS XR software images) to configure a common CHAP secret password to use in response to challenges from an unknown peer. |
ppp chap refuse |
Refuses CHAP authentication from peers requesting it. |
ppp pap refuse |
Refuses PAP authentication from peers requesting it. |
ppp pap sent-username password |
Enables remote PAP support for an interface and includes the sent-username and password commands in the PAP authentication request packet to the peer. |
ppp max-configure
To specify the maximum number of configure requests to attempt (without response) before stopping the requests, use the ppp max-configure command in interface configuration mode. To disable the maximum number of configure requests and return to the default, use the no form of this command.
ppp max-configure retries
no ppp max-configure
Syntax Description
retries |
Maximum number of retries. Range is 4 through 20. Default is 10. |
Defaults
retries: 10
Command Modes
Interface configuration
Command History
|
|
Release 2.0 |
This command was first introduced on the Cisco CRS-1 router. |
Release 3.0 |
No modification. |
Release 3.2 |
This command was first supported on the Cisco XR 12000 Series Router. |
Release 3.3.0 |
No modification. |
Release 3.4.0 |
No modification. |
Release 3.5.0 |
No modification. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, your Cisco IOS XR software system administrator must assign you to a user group associated with a task group that includes the corresponding command task IDs. If you need assistance with your task group assignment, contact your system administrator. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
Use the ppp max-configure command to specify how many times an attempt is made to establish a Link Control Protocol (LCP) session between two peers for a particular interface. If a configure request message receives a reply before the maximum number of configure requests are sent, further configure requests are abandoned.
Examples
In the following example, a limit of four configure requests is specified:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface POS 0/3/0/1
RP/0/RP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RP0/CPU0:router(config-if)# ppp max-configure 4
Related Commands
|
|
encapsulation ppp |
Enables encapsulation for communication with routers or bridges using PPP. |
ppp max-failure |
Configures the maximum number of CONFNAKs to permit before terminating a negotiation. |
ppp max-terminate |
Configures the maximum number of terminate requests to send without reply before closing down the LCP or NCP. |
ppp max-failure
To configure the maximum number of consecutive Configure Negative Acknowledgments (CONFNAKs) to permit before terminating a negotiation, use the ppp max-failure command in interface configuration mode. To disable the maximum number of CONFNAKs and return to the default, use the no form of this command.
ppp max-failure retries
no ppp max-failure
Syntax Description
retries |
Maximum number of CONFNAKs to permit before terminating a negotiation. Range is from 2 to 10. Default is 5. |
Defaults
retries: 5
Command Modes
Interface configuration
Command History
|
|
Release 2.0 |
This command was first introduced on the Cisco CRS-1 router. |
Release 3.0 |
No modification. |
Release 3.2 |
This command was first supported on the Cisco XR 12000 Series Router. |
Release 3.3.0 |
No modification. |
Release 3.4.0 |
No modification. |
Release 3.5.0 |
No modification. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, your Cisco IOS XR software system administrator must assign you to a user group associated with a task group that includes the corresponding command task IDs. If you need assistance with your task group assignment, contact your system administrator. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
Examples
The following ppp max-failure command specifies that no more than three CONFNAKs are permitted before terminating the negotiation:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface POS 0/3/0/1
RP/0/RP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RP0/CPU0:router(config-if)# ppp max-failure 3
Related Commands
|
|
encapsulation ppp |
Enables encapsulation for communication with routers or bridges using PPP. |
ppp max-configure |
Specifies the maximum number of configure requests to attempt (without response) before stopping the requests. |
ppp max-terminate |
Configures the maximum number of terminate requests to send without reply before closing down the LCP or NCP. |
ppp max-terminate
To configure the maximum number of terminate requests (TermReqs) to send without reply before closing down the Link Control Protocol (LCP) or Network Control Protocol (NCP), use the ppp max-terminate command in interface configuration mode. To disable the maximum number of TermReqs and return to the default, use the no form of this command.
ppp max-terminate number
no ppp max-terminate
Syntax Description
number |
Maximum number of TermReqs to send without reply before closing down the LCP or NCP. Range is from 2 to 10. Default is 2. |
Defaults
number: 2
Command Modes
Interface configuration
Command History
|
|
Release 2.0 |
This command was first introduced on the Cisco CRS-1 router. |
Release 3.0 |
No modification. |
Release 3.2 |
This command was first supported on the Cisco XR 12000 Series Router. |
Release 3.3.0 |
No modification. |
Release 3.4.0 |
No modification. |
Release 3.5.0 |
No modification. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, your Cisco IOS XR software system administrator must assign you to a user group associated with a task group that includes the corresponding command task IDs. If you need assistance with your task group assignment, contact your system administrator. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
Examples
In the following example, a maximum of five TermReqs are specified to be sent before terminating and closing LCP or NCP:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface POS 0/3/0/1
RP/0/RP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RP0/CPU0:router(config-if)# ppp max-terminate 5
Related Commands
|
|
ppp max-configure |
Specifies the maximum number of configure requests to attempt (without response) before stopping the requests. |
ppp max-failure |
Configures the maximum number of CONFNAKs to permit before terminating a negotiation. |
ppp ms-chap password
To enable a router calling a collection of routers to configure a common Microsoft Challenge Handshake Authentication (MS-CHAP) secret password, use the ppp ms-chap password command in interface configuration mode. To disable the password, use the no form of this command.
ppp ms-chap password [clear | encrypted] password
no ppp ms-chap password [clear | encrypted] password
Syntax Description
clear |
(Optional) Specifies the cleartext encryption parameter for the password. |
encrypted |
(Optional) Indicates that the password is already encrypted. |
password |
Cleartext or already-encrypted password. |
Defaults
The password is disabled.
Command Modes
Interface configuration
Command History
|
|
Release 3.3.0 |
This command was introduced on the Cisco CRS-1 router and the Cisco XR 12000 Series Router. |
Release 3.4.0 |
No modification. |
Release 3.5.0 |
No modification. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, your Cisco IOS XR software system administrator must assign you to a user group associated with a task group that includes the corresponding command task IDs. If you need assistance with your task group assignment, contact your system administrator. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
The ppp ms-chap password command is sent in CHAP responses and is used by the peer to authenticate the local router. This does not affect local authentication of the peer. The ppp ms-chap password command is useful for routers that do not support this command (such as routers running older Cisco IOS XR software images).
The MS-CHAP secret password is used by the routers in response to challenges from an unknown peer.
Examples
The following example shows how to enter a password (xxxx) as a cleartext password:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface POS 0/3/0/1
RP/0/RP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RP0/CPU0:router(config-if)# ppp ms-chap password clear xxxx
ppp ms-chap refuse
To refuse Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication from peers requesting it, use the ppp ms-chap refuse command in interface configuration mode. To allow MS-CHAP authentication, use the no form of this command.
ppp ms-chap refuse
no ppp ms-chap refuse
Syntax Description
This command has no arguments or keywords.
Defaults
MS-CHAP authentication is disabled.
Command Modes
Interface configuration
Command History
|
|
Release 3.3.0 |
This command was introduced on the Cisco CRS-1 router and the Cisco XR 12000 Series Router. |
Release 3.4.0 |
No modification. |
Release 3.5.0 |
No modification. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, your Cisco IOS XR software system administrator must assign you to a user group associated with a task group that includes the corresponding command task IDs. If you need assistance with your task group assignment, contact your system administrator. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
The ppp ms-chap refuse command specifies that MS-CHAP authentication is disabled for all calls, meaning that all attempts by the peer to force the user to authenticate using MS-CHAP are refused.
If outbound Password Authentication Protocol (PAP) has been configured (using the ppp authentication command), PAP is suggested as the authentication method in the refusal packet.
Examples
The following example shows how to specify POS interface 0/3/0/1 and disable MS-CHAP authentication from occurring if a peer calls in requesting MS-CHAP authentication. The method of encapsulation on the interface is PPP.
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface POS 0/3/0/1
RP/0/RP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RP0/CPU0:router(config-if)# ppp ms-chap refuse
ppp pap refuse
To refuse Password Authentication Protocol (PAP) authentication from peers requesting it, use the ppp pap refuse command in interface configuration mode. To allow PAP authentication, use the no form of this command.
ppp pap refuse
no ppp pap refuse
Syntax Description
This command has no arguments or keywords.
Defaults
PAP authentication is disabled.
Command Modes
Interface configuration
Command History
|
|
Release 2.0 |
This command was first introduced on the Cisco CRS-1 router. |
Release 3.0 |
No modification. |
Release 3.2 |
This command was first supported on the Cisco XR 12000 Series Router. |
Release 3.3.0 |
No modification. |
Release 3.4.0 |
No modification. |
Release 3.5.0 |
No modification. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, your Cisco IOS XR software system administrator must assign you to a user group associated with a task group that includes the corresponding command task IDs. If you need assistance with your task group assignment, contact your system administrator. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
The ppp pap refuse command specifies that PAP authentication is disabled for all calls, meaning that all attempts by the peer to force the user to authenticate using PAP are refused.
If outbound Challenge Handshake Authentication Protocol (CHAP) has been configured (using the ppp authentication command), CHAP is suggested as the authentication method in the refusal packet.
|
|
ppp |
read, write |
aaa |
read, write |
Examples
The following example shows how to specify POS 0/3/0/1 using PPP encapsulation on the interface. This example shows PAP authentication being specified as disabled if a peer calls in requesting PAP authentication.
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface POS 0/3/0/1
RP/0/RP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RP0/CPU0:router(config-if)# ppp pap refuse
Related Commands
|
|
aaa authentication ppp |
Specifies one or more authentication, authorization, and accounting (AAA) methods for use on serial interfaces running PPP. |
ppp authentication |
Enables CHAP, MS-CHAP, or PAP, and specifies the order in which CHAP, MS-CHAP, and PAP authentication is selected on the interface. |
ppp max-bad-auth |
Configures a PPP interface not to reset itself immediately after an authentication failure but instead to allow a specified number of authentication retries. |
ppp pap sent-username password |
Enables remote PAP support for an interface, and includes the sent-username and password commands in the PAP authentication request packet to the peer. |
ppp pap sent-username password
To enable remote Password Authentication Protocol (PAP) support for an interface, and to use the values specified for username and password in the PAP authentication request, use the ppp pap sent-username password command in interface configuration mode. To disable remote PAP support, use the no form of this command.
ppp pap sent-username username password [clear | encrypted] password
no ppp pap sent-username username password [clear | encrypted] password
Syntax Description
username |
Username sent in the PAP authentication request. |
clear |
(Optional) Specifies the cleartext encryption parameter for the password. |
encrypted |
(Optional) Indicates that the password is already encrypted. |
password |
Cleartext or already-encrypted password. |
Defaults
Remote PAP support is disabled.
Command Modes
Interface configuration
Command History
|
|
Release 2.0 |
This command was first introduced on the Cisco CRS-1 router. |
Release 3.0 |
No modification. |
Release 3.2 |
This command was first supported on the Cisco XR 12000 Series Router. |
Release 3.3.0 |
No modification. |
Release 3.4.0 |
No modification. |
Release 3.5.0 |
No modification. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, your Cisco IOS XR software system administrator must assign you to a user group associated with a task group that includes the corresponding command task IDs. If you need assistance with your task group assignment, contact your system administrator. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
Use the ppp pap sent-username password command to enable remote PAP support (for example, to respond to the peer's request to authenticate with PAP) and to specify the parameters to be used when sending the PAP authentication request.
You must configure the ppp pap sent-username password command for each interface.
|
|
ppp |
read, write |
aaa |
read, write |
Examples
In the following example, a password is entered as a cleartext password, xxxx:
RP/0/RP0/CPU0:router(config-if)# ppp pap sent-username xxxx password notified
When the password is displayed (as shown in the following example, using the show running-config command), the password notified appears as 05080F1C2243:
RP/0/RP0/CPU0:router(config-if)# show running-config
description Connected to P1_CRS-8 POS 0/1/4/2
ipv4 address 10.12.32.2 255.255.255.0
ppp pap sent-username P2_CRS-8 password encrypted 05080F1C2243
On subsequent logins, entering any of the three following commands would have the same effect of making xxxx the password for remote PAP authentication:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface POS 0/1/0/0
RP/0/RP0/CPU0:router(config-if)# ppp pap sent-username xxxx password notified
RP/0/RP0/CPU0:router(config-if)# ppp pap sent-username xxxx password clear notified
RP/0/RP0/CPU0:router(config-if)# ppp pap sent-username xxxx encrypted 1514190900
Related Commands
|
|
aaa authentication ppp |
Specifies one or more authentication, authorization, and accounting (AAA) methods for use on serial interfaces running PPP. |
ppp authentication |
Enables CHAP, MS-CHAP, or PAP, and specifies the order in which CHAP, MS-CHAP, and PAP authentication is selected on the interface. |
ppp pap refuse |
Refuses PAP authentication from peers requesting it |
ppp timeout authentication |
Sets PPP authentication timeout parameters. |
show running-config |
Displays the contents of the currently running configuration file or the configuration for a specific interface, or map class information. |
ppp timeout authentication
To set PPP authentication timeout parameters, use the ppp timeout authentication command in interface configuration mode. To reset the default value, use the no form of this command.
ppp timeout authentication seconds
no ppp timeout authentication
Syntax Description
seconds |
Maximum time, in seconds, to wait for a response to an authentication packet. Range is from 3 to 30 seconds. Default is 10 seconds. |
Defaults
seconds: 10
Command Modes
Interface configuration
Command History
|
|
Release 2.0 |
This command was first introduced on the Cisco CRS-1 router. |
Release 3.0 |
No modification. |
Release 3.2 |
This command was first supported on the Cisco XR 12000 Series Router. |
Release 3.3.0 |
No modification. |
Release 3.4.0 |
No modification. |
Release 3.5.0 |
No modification. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, your Cisco IOS XR software system administrator must assign you to a user group associated with a task group that includes the corresponding command task IDs. If you need assistance with your task group assignment, contact your system administrator. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
The default authentication time is 10 seconds, which should allow time for a remote router to authenticate and authorize the connection and provide a response. However, it is also possible that it will take much less time than 10 seconds. In such cases, use the ppp timeout authentication command to lower the timeout period to improve connection times in the event that an authentication response is lost.
Note The timeout affects connection times only if packets are lost.
Note Although lowering the authentication timeout is beneficial if packets are lost, sending authentication requests faster than the peer can handle them results in churn and a slower connection time.
Examples
In the following example, PPP timeout authentication is set to 20 seconds:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface POS 0/3/0/1
RP/0/RP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RP0/CPU0:router(config-if)# ppp timeout authentication 20
Related Commands
|
|
aaa authentication ppp |
Specifies one or more authentication, authorization, and accounting (AAA) methods for use on serial interfaces running PPP. |
ppp authentication |
Enables CHAP, MS-CHAP, or PAP, and specifies the order in which CHAP, MS-CHAP, and PAP authentication is selected on the interface. |
ppp timeout retry
To set PPP timeout retry parameters, use the ppp timeout retry command in interface configuration mode. To reset the time value, use the no form of this command.
ppp timeout retry seconds
no ppp timeout retry
Syntax Description
seconds |
Maximum time, in seconds, to wait for a response during PPP negotiation. Range is from 1 to 10 seconds. Default is 3 seconds. |
Defaults
seconds: 3
Command Modes
Interface configuration
Command History
|
|
Release 2.0 |
This command was first introduced on the Cisco CRS-1 router. |
Release 3.0 |
No modification. |
Release 3.2 |
This command was first supported on the Cisco XR 12000 Series Router. |
Release 3.3.0 |
No modification. |
Release 3.4.0 |
No modification. |
Release 3.5.0 |
No modification. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, your Cisco IOS XR software system administrator must assign you to a user group associated with a task group that includes the corresponding command task IDs. If you need assistance with your task group assignment, contact your system administrator. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
The ppp timeout retry command is useful for setting a maximum amount of time PPP should wait for a response to any control packet it sends.
Examples
The following example shows the retry timer being set to 8 seconds:
RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# interface POS 0/3/0/1
RP/0/RP0/CPU0:router(config-if)# encapsulation ppp
RP/0/RP0/CPU0:router(config-if)# ppp timeout retry 8
Related Commands
|
|
keepalive |
Controls how often LCP EchoRequest packets are sent after LCP has been negotiated. |
ppp timeout authentication |
Sets PPP authentication timeout parameters. |
show ppp interfaces
To display PPP state information for an interface, use the show ppp interfaces command in EXEC mode.
show ppp interfaces {type interface-path-id | all | brief {type interface-path-id | all | location node-id} | detail {type interface-path-id | all | location node-id} | location node-id}
Syntax Description
type |
Interface type. For more information, use the question mark (?) online help function. |
interface-path-id |
Physical interface or virtual interface. Note Use the show interfaces command to see a list of all interfaces currently configured on the router. For more information about the syntax for the router, use the question mark (?) online help function. |
all |
(Optional) Displays detailed PPP information for all nodes. |
brief |
(Optional) Displays brief output for all interfaces on the router, for a specific POS interface instance, or for all interfaces on a specific node. |
detail |
(Optional) Displays detailed output for all interfaces on the router, for a specific interface instance, or for all interfaces on a specific node. |
location node-id |
(Optional) Displays detailed PPP information for the designated node. The node-id argument is entered in the rack/slot/module notation. |
Defaults
No default behavior or values
Command Modes
EXEC
Command History
|
|
Release 2.0 |
This command was first introduced on the Cisco CRS-1 router. |
Release 3.0 |
No modification. |
Release 3.2 |
This command was first supported on the Cisco XR 12000 Series Router. |
Release 3.3.0 |
No modification. |
Release 3.4.0 |
No modification. |
Release 3.5.0 |
No modification. |
Release 3.6.0 |
No modification. |
Release 3.7.0 |
No modification. |
Release 3.8.0 |
No modification. |
Usage Guidelines
To use this command, your Cisco IOS XR software system administrator must assign you to a user group associated with a task group that includes the corresponding command task IDs. If you need assistance with your task group assignment, contact your system administrator. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of Cisco IOS XR System Security Configuration Guide.
For the interface-path-id argument, use the following guidelines:
•If specifying a physical interface, the naming notation is rack/slot/module/port. The slash between values is required as part of the notation. An explanation of each component of the naming notation is as follows:
–rack: Chassis number of the rack.
–slot: Physical slot number of the line card.
–module: Module number. A physical layer interface module (PLIM) is always 0.
–port: Physical port number of the interface.
•If specifying a virtual interface, the number range varies, depending on interface type.
There are seven possible PPP states applicable for either the Link Control Protocol (LCP) or the Network Control Protocol (NCP).
Examples
The following example shows how to display PPP state information for POS interface 0/2/0/0:
RP/0/RP0/CPU0:router# show ppp interfaces POS 0/2/0/0
POS0/2/0/0 is up, line protocol is up
Keepalives enabled (10 sec)
Of Peer: CHAP (Completed as P1_CRS-8)
Of Us: CHAP (Completed as P2_CRS-8)
Local IPv4 address: 10.12.32.2
Peer IPv4 address: 10.12.32.1
POS0/2/4/3 is down, line protocol is down
Keepalives enabled (10 sec)
Local IPv4 address: 10.12.32.2
Peer IPv4 address: 10.12.32.1
Table 87 describes the significant fields shown in the display.
Table 87 show ppp interfaces Field Descriptions
|
|
LCP |
Indicates the current state of LCP. The state of the LCP will report the following states: •Initial—Lower layer is unavailable (Down), and no Open has occurred. The Restart timer is not running in the Initial state. •Starting—An administrative Open has been initiated, but the lower layer is still unavailable (Down). The Restart timer is not running in the Starting state. When the lower layer becomes available (Up), a Configure-Request is sent. •Closed— LCP is not currently trying to negotiate. •Stopped—A Terminate-Request has been sent and the Restart timer is running, but a Terminate-Ack has not yet been received. •Closing—A Terminate-Request has been sent and the Restart timer is running, but a Terminate-Ack has not yet been received. Upon reception of a Terminate-Ack, the Closed state is entered. Upon the expiration of the Restart timer, a new Terminate-Request is transmitted, and the Restart timer is restarted. After the Restart timer has expired Max-Terminate times, the Closed state is entered. •Stopping—A Terminate-Request has been sent and the Restart timer is running, but a Terminate-Ack has not yet been received. Req-Sent. •ACKsent—LCP has received a request and has replied to it. •ACKrcvd—LCP has received a reply to a request it sent. •Open—LCP is functioning properly |
Keepalive |
Keepalive setting and interval in seconds for echo request packets. |
Local MRU |
Maximum receive unit. The maximum size of the information transported, in bytes, in the PPP packet received by the local equipment. |
Peer MRU |
Maximum receive unit. The maximum size of the information transported, in bytes, in the PPP packet received by the peer equipment. |
Authentication |
Type of user authentication configured on the local equipment and on the peer equipment. Possible PPP authentication protocols are Challenge Handshake Authentication Protocol (CHAP), MS-CHAP, and Password Authentication Protocol (PAP). |
IPCP |
IP Control Protocol (IPCP) state. The seven possible states that may be displayed are as follows: •Initial—Lower layer is unavailable (Down), and no Open has occurred. The Restart timer is not running in the Initial state. •Starting—An administrative Open has been initiated, but the lower layer is still unavailable (Down). The Restart timer is not running in the Starting state. When the lower layer becomes available (Up), a Configure-Request is sent. •Closed— IPCP is not currently trying to negotiate. •Stopped—A Terminate-Request has been sent and the Restart timer is running, but a Terminate-Ack has not yet been received. •Closing—A Terminate-Request has been sent and the Restart timer is running, but a Terminate-Ack has not yet been received. Upon reception of a Terminate-Ack, the Closed state is entered. Upon the expiration of the Restart timer, a new Terminate-Request is transmitted, and the Restart timer is restarted. After the Restart timer has expired Max-Terminate times, the Closed state is entered. •Stopping—A Terminate-Request has been sent and the Restart timer is running, but a IPCP-Ack has not yet been received. Req-Sent. •ACKsent—IPCP has received a request and has replied to it. •ACKrcvd—IPCP has received a reply to a request it sent. •Open—IPCP is functioning properly. |
Local IPv4 address |
IPv4 address for the local interface. |
Peer IPv4 address |
IPv4 address for the peer equipment. |
OSICP |
Open System Interconnection Control Protocol (OSICP) state. The possible states that may be displayed are as follows: •Initial—Lower layer is unavailable (Down), and no Open has occurred. The Restart timer is not running in the Initial state. •Starting—An administrative Open has been initiated, but the lower layer is still unavailable (Down). The Restart timer is not running in the Starting state. When the lower layer becomes available (Up), a Configure-Request is sent. •Closed— OSICP is not currently trying to negotiate. •Stopped—A Terminate-Request has been sent and the Restart timer is running, but a Terminate-Ack has not yet been received. •Closing—A Terminate-Request has been sent and the Restart timer is running, but a Terminate-Ack has not yet been received. Upon reception of a Terminate-Ack, the Closed state is entered. Upon the expiration of the Restart timer, a new Terminate-Request is transmitted, and the Restart timer is restarted. After the Restart timer has expired Max-Terminate times, the Closed state is entered. •Stopping—A Terminate-Request has been sent and the Restart timer is running, but a Terminate-Ack has not yet been received. Req-Sent. •ACKsent—OSICP has received a request and has replied to it. •ACKrcvd—OSICP has received a reply to a request it sent. •Open—OSICP is functioning properly. |
Note In this example, only IPCP and OSICP are running. If other NCPs are running, they are displayed in the show ppp interfaces command output. Possible NCPs are IPCP, OSICP, IPv6CP, MPLSCP and CDPCP.
Related Commands
|
|
encapsulation ppp |
Enables encapsulation for communication with routers or bridges using PPP. |
ipv4 address |
Specifies an IPv4 family address. |
ipv6 address |
Specifies an IPv6 family address. |
keepalive |
Controls how often LCP EchoRequest packets are sent after LCP has been negotiated. |
mtu |
Specifies the MTU to be used. |