PPP Authentication - PAP
PAP is a simple but not very secure authentication protocol. It sends the username and password information in clear text.

One-way authentication

On the router that asks for authentication:
1
R1(config)# username USER password PASS
2
R1(config)# interface serial0/0
3
R1(config-if)# encapsulation ppp
4
R1(config-if)# ip address IP-ADDR1 MASK1
5
R1(config-if)# ppp authentication pap
6
R1(config-if)# no shut
Copied!
On the router that is authenticating:
1
R2(config)# interface serial0/0
2
R2(config-if)# encapsulation ppp
3
R2(config-if)# ip address IP-ADDR2 MASK2
4
R2(config-if)# ppp pap sent-username USER password PASS
5
R2(config-if)# no shut
Copied!
This is clearly a one-way authentication. Only R2 authenticates to R1.

Two-way authentication

If two-way authentication is required, a configuration like the following should be used:
1
! On R1:
2
R1(config)# username USER1 password PASS1
3
R1(config)# interface serial0/0
4
R1(config-if)# encapsulation ppp
5
R1(config-if)# ip address IP-ADDR1 MASK1
6
R1(config-if)# ppp authentication pap
7
R1(config-if)# ppp pap sent-username USER2 password PASS2
8
R1(config-if)# no shut
9
! On R2:
10
R1(config)# username USER2 password PASS2
11
R2(config)# interface serial0/0
12
R2(config-if)# encapsulation ppp
13
R2(config-if)# ip address IP-ADDR2 MASK2
14
R2(config-if)# ppp authentication pap
15
R2(config-if)# ppp pap sent-username USER1 password PASS1
16
R2(config-if)# no shut
Copied!

Other Settings

By default a router will always respond to an authentication request even when no username is configured to be sent, but authentication will fail. Use the following command to refuse authentication requests:
1
R(config-if)#ppp pap refuse
Copied!

Debugging

When debugging, the best commands to use are:
1
R# debug ppp negotiation
2
R# debug ppp authentication
Copied!
See this Cisco article about debugging PPP neogtiation output