PPP Authentication - PAP

PAP is a simple but not very secure authentication protocol. It sends the username and password information in clear text.

One-way authentication

On the router that asks for authentication:

R1(config)# username USER password PASS
R1(config)# interface serial0/0
R1(config-if)# encapsulation ppp
R1(config-if)# ip address IP-ADDR1 MASK1
R1(config-if)# ppp authentication pap
R1(config-if)# no shut

On the router that is authenticating:

R2(config)# interface serial0/0
R2(config-if)# encapsulation ppp
R2(config-if)# ip address IP-ADDR2 MASK2
R2(config-if)# ppp pap sent-username USER password PASS
R2(config-if)# no shut

This is clearly a one-way authentication. Only R2 authenticates to R1.

Two-way authentication

If two-way authentication is required, a configuration like the following should be used:

Other Settings

By default a router will always respond to an authentication request even when no username is configured to be sent, but authentication will fail. Use the following command to refuse authentication requests:

Debugging

When debugging, the best commands to use are:

See this Cisco article about debugging PPP neogtiation output