Introduction to P2P Authentication : PAP and CHAP protocols briefing

 Today I am going to talk about the PAP- Password Authentication Protocol and CHAP- challenge handshake authentication protocol. So let's talk about PAP and CHAP one by one.

PAP and CHAP is one of the basic and most important topic for CCNA candidates or the freshers who are going to work on the Point to point networks.

Before we are starting with the PAP and CHAP protocols, I would like to tell you that PAP and CHAP is the authentication procedure in Point to point network. So if you are using Point to point networks in your architecture you should opt for PAP or CHAP protocols as per the design required.

CHAP- Challenge Handshake Authentication Protocol
 CHAP conducts periodic challenges to make sure that the remote node still has a valid challenge response. CHAP is more secure than PAP. It involves a three-way exchange of a shared secret. 

The remote peer being authenticated responds with a value calculated using a one-way hash function, which is typically Message Digest 5 (MD5) based on the secret password and challenge message. 

Fig 1.1-CHAP- Challenge Handshake Authentication Protocol

CHAP provides protection against playback attack by using a variable challenge value that is unique and unpredictable. Because the challenge is unique and random, the resulting hash value is also unique and random. 

The use of periodically repeated challenges limits the time of exposure to any single attack, and is used to mitigate a current connection from being hijacked by an intermediate device. The local router or a third-party authentication server is in control of the frequency and timing of the challenges. 

The difference is clear, in PAP the authentication process is plain text while in CHAP it is MD5 authentication process. PAP send the traffic and reply back while in CHAP we have 3 way handshaking procedure. Many enterprise network always use CHAP protocol to set Point to point networks with authentication.

Below are the configuration of CHAP protocol
NDNA# Config t
NDNA(config)#interface serial 0/0/0 
NDNA(config-if)#encapsulation ppp
NDNA(config-if)#ppp authentication chap
NDNA(config-if)#clock rate 56000

PAP- Password Authentication Protocol
PAP is a password-based authentication protocol used by Point to Point Protocol (PPP) to validate users. PAP generally consider as a very basic two-way process. There is no encryption. The username and password are sent in plain text. If it is accepted, the connection is allowed. 

The authentication phase of a PPP session is optional. If used, you can authenticate the peer after the LCP establishes the link and choose the authentication protocol. If it is used, authentication takes place before the Network layer protocol configuration phase begins. 

Fig 1.2- PAP- Password Authentication Protocol

The authentication options require that the calling side of the link enter authentication information. This helps to ensure that the user has the permission of the network administrator to make the call. Peer routers exchange authentication messages. 

As I earlier said that PAP is not a strong authentication protocol. By using PAP, you can send passwords across the link in simple clear text and there is no protection from playback or repeated trial-and-error attacks. The remote node is in control of the frequency and timing of the login attempts. 

In other words you can say that PAP is not interactive. When the ppp authentication pap command is used, the username and password are sent as one LCP data package, rather than the server sending a login prompt and waiting for a response. After PPP completes the link establishment phase, the remote node repeatedly sends a username-password pair across the link until the sending node acknowledges it or terminates the connection. 

At the receiving node, the username-password is checked by an authentication server that either allows or denies the connection. An accept or reject message is returned to the requester. 

Below are the basic configuration in the router
NDNA(config-if)#ip address
NDNA(config-if)#no shutdown
NDNA(config-if)#encapsulation ppp
NDNA(config-if)#ppp authentication pap
NDNA(config-if)#ppp pap sent-username NDNA password cisco
NDNA(config-if)#clock rate 56000