Now we know how the ISDN link comes up (interesting traffic), and some scenarios that might cause the link to stay up, we need to look at ISDN authentication schemes. The two methods Cisco certification candidates must be familiar with are PAP and CHAP.
Password Authentication Protocol (PAP) sends the username and password over the ISDN link in clear-text. Sending any passwords over any WAN link in clear-text is generally a bad idea, but it’s important to know you have this option.
Regarding both PAP and CHAP, it’s a common misunderstanding that each side must authenticate the other. PAP and CHAP both support bidirectional and unidirectional authentication; that is, R1 can authenticate R2 without R2 necessarily authenticating R1. It’s more common to use unidirectional authentication in a lab environment than a production network, but keep in mind that bidirectional authentication is an option, not a requirement.
The configurations of PAP and CHAP do have their similarities. For both, you’ll configure a username/password combination in global configuration mode. Newcomers to ISDN sometimes put the local router name in for the username; remember that the remote router name is the username.
The only real advantage of PAP over CHAP comes in the password configuration. Since PAP actually sends the password as a whole over the link, the two routers can send different passwords during authentication. The operation of CHAP requires that both routers use the same password, and we’ll see why in tomorrow’s article.
Under the BRI interface, you’ll enter encapsulation ppp and ppp authentication pap. So far, your authentication scheme looks like this:
username R2 password CCNA
Int bri0
encapsulation ppp
ppp authentication pap
PAP requires an extra command at this point. The ppp pap sent-username command is required under the interface, indicating the username and password this router will be sending to the remote router.
Int bri0
encapsulation ppp
ppp authentication pap
ppp pap sent-username R1 password CISCO
I always encourage CCNA and CCNP candidates to use as many debugs as possible when working in their lab, since these commands show us how things work. For any PPP authentication, always run debug ppp negotiation before sending interesting traffic to trigger the call. Watching exactly how PAP and CHAP work give you a much better understanding of what’s going on “behind the command”, and makes you a stronger candidate and a stronger networking engineer.
Tomorrow, we’ll take a look at CHAP, and why routers cannot use the same password on both ends of the link.
Keep studying!
Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage (www.thebryantadvantage.com), home of FREE CCNA and CCNP tutorials and daily exam questions, as well as The Ultimate CCNA and CCNP Study Packages.
For a FREE copy of his latest e-books, “How To Pass The CCNA” or “How To Pass The CCNP”, and for free daily exam question, visit the website and download your copies!