PAP and CHAP

Enable PPP encapsulation and PAP authentication with the following commands: Router(config-if)#encapsulation ppp Router(config-if)#ppp authentication pap.

PAP and CHAP

You must also configure the router with a local username/password database, or point it to a network host that has that information (such as a TACACS+ server). Without access to a username/password database, the router won't know which combinations are authorized and will deny all login attempts.

PAP and CHAP

You can configure a local username/password database by using the following command in global configuration mode: Router(config)#username username password password.

PAP and CHAP

In some cases, you must also configure a router's asynchronous interface to place calls to other access servers. If you want to configure an interface to respond to a peer's request to authenticate with PAP, you must use the ppp pap sent-username command: Router(config-if)#ppp pap sent-username username password password.

Configuring CHAP

When using CHAP authentication, the access server sends a challenge message to the remote node after the PPP link is established. The remote node responds with a value calculated by using a one-way hash function, typically Message Digest 5 (MD5). The access server checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged.

Configuring CHAP

Configure PPP and CHAP authentication using the following commands: Router(config-if)#encapsulation ppp Router(config-if)#ppp authentication chap. You can enable both PAP and CHAP authentication on an interface. The first method specified is requested during link negotiation. If the peer suggests using the second method or simply refuses the first method, then the second method will be tried.

Configuring CHAP

This command can be useful, because some remote devices support CHAP only and some PAP only. The commands are as follows: Router(config-if)#ppp authentication pap chap. And, alternately: Router(config-if)#ppp authentication chap pap.

PPP Callback

PPP callback is an LCP option used over dialup links. PPP callback provides a client/server relationship between the endpoints of a point-to-point connection. PPP callback allows a dialup client to request that a dialup server call the client back. The callback feature can be used to control access and toll costs between hosts.

PPP Callback

Both routers on a point-to-point link must be configured for PPP callback; one must function as a callback client, and one must be configured as a callback server. The callback client must be configured to initiate PPP callback requests, and the callback server must be configured to accept PPP callback requests and place return calls.

PPP Callback

The asynchronous callback feature supports EXEC, PPP, and ARAP sessions. The main motivation for callback is for telephone bill consolidation and dialup cost savings. It is not necessarily a security feature; however, if the callback number is assigned in the authentication database, security is enforced because callbacks are made only to assigned telephone numbers.

PPP Callback

The incoming calls go through the normal login process and must pass authentication before callback can occur. To make callback work properly, you must make sure that callback is configured for each autoselect protocol that is defined for any given remote user. Otherwise, the remote dial-in autoselect process may work, but no callback occurs.

PPP Callback

To configure a router as a callback server, use the commands shown. Server(config)#interface async 1 Server(config-if)#ip address 10.1.1.1 255.255.255.0 Server(config-if)#encapsulation ppp Server(config-if)#ppp authentication chap.

PPP Callback

Note that to use callback, you must also use PPP authentication. The asynchronous interface can then be configured with basic DDR commands: Server(config-if)#dialer in-band Server(config-if)#dialer-group 1

PPP Callback

Finally, PPP callback is configured with these commands: Server(config)#username Client password itsasecret Server(config)#map-class dialer DIALBACK Server(config-map-class)#dialer callbackserver username Server(config-mapclass)#exit

PPP Callback

The username command creates an entry for the remote host in the Server's local password database. The mapclass command creates a dialer configuration called DIALBACK that can be applied to calls on an individual basis with the dialer map command.

PPP Callback

In this case, DIALBACK will apply the dialer callback-server username command, which enables an interface to make return calls when callback is successfully negotiated.

PPP Callback

PPP callback configuration is completed by the following required commands: Server(config)#interface async 1 Server(config-if)#ppp callback accept Server(config-if)#dialer map ip 10.1.1.2 name Client class DIALBACK modem-script hayes56k broadcast 5556002.

PPP Callback

The ppp callback accept command enables PPP callback. The dialer map statement links the callback client's IP address, username, phone number, and DIALBACK map class (thus applying the dialer callbackserver username configuration). Note that a dialup interface cannot be configured to be both a callback server and a callback client simultaneously.

PPP Callback

Server(config-if)#dialer callback-secure. This command affects those users that are not authorized to be called back with the dialer callback-server command. If the username (as specified in the dialer map command) is not authorized for callback, the call will be disconnected if the dialer callback-secure command is configured.

PPP Callback
If the dialer callback-secure command is not configured, the call will not be disconnected. In either case, callback has not occurred.

Configuring the Callback Client

Configuring a router as a callback client requires the ppp callback request command, as shown in Figure 1.

Data Compression

PPP can also maximize performance by using data compression, which may provide higher data throughput across low-speed links. Compression is an option that is negotiated by LCP.

Data Compression

Trying to compress already compressed data can take longer than transferring the data without compression. Typically, you should only configure compression on low-speed links because the router compresses data using software, which requires router CPU time and memory.

Data Compression

Cisco recommends that you disable compression if CPU load exceeds 65 percent. To display the CPU load, use the show process cpu command. To display memory utilization, use the show processes memory command.

Data Compression

Predictor compression is recommended when the bottleneck is caused by high load on the router; Stacker compression is recommended when the bottleneck is caused by a line's bandwidth limitations. Configuring PPP for compression is simple: in interface configuration mode, issue the compress predictor, compress stac, compress mppc, or ip tcp headercompression command on both sides of the link.

Data Compression

Configure TCP header compression using the command: ip tcp header-compression. Optionally, the ip tcp header-compression passive command specifies that TCP header compression is not required, but will be used if the router receives compressed headers from its link partner. You can use the show compress command in privileged EXEC mode to view compression statistics.

PPP MULTILINK

Multilink PPP (MLP) is an LCP option that provides load balancing over multiple interfaces, including ISDN, synchronous, and asynchronous interfaces. MLP can improve throughput and reduce latency between systems by splitting Layer 3 packets and sending the fragments over parallel circuits.

PPP MULTILINK

It is important to remember that MLP works by splitting packets into fragments, not by load-balancing complete packets to a destination. Prior to the adoption of MLP there was no standardized way to use both of the ISDN BRI B channels and ensure proper sequencing.

PPP MULTILINK

Typically, you should use MLP with applications in which bandwidth requirements are dynamic, such as remote LAN access applications for telecommuters or small office, home office (SOHO) environments. When user traffic exceeds a predefined threshold, an additional physical link (such as a B channel) can be brought up to handle the burst of traffic.

PPP MULTILINK

The ppp multilink command activates multilink on an interface: Router(config-if)#ppp multilink.

Verifying and Troubleshooting PPP

One way to determine whether PAP or CHAP authentication succeeded is to use the show dialer command. This command can be used to view the status of asynchronous dialup connections. If the show dialer command output displays the name of the remote router, it means that authentication was successful, as shown in the "Connected to 5551234 (SanJose1)" line in Figure 1.

Verifying and Troubleshooting PPP

You can check the show dialer command on both routers to verify that the name of the other router is displayed. If it is, then you know that PAP or CHAP authentication worked. The show dialer command output will also indicate whether a line is a member of an MLP bundle, as shown in Figure 1. The debug dialer command can also be used to troubleshoot misconfiguration problems.

Verifying and Troubleshooting PPP

The debug ppp negotiation command is an excellent tool for troubleshooting the PPP LCP activities such as authentication, compression, and MLP. When the LCP is in OPEN state, the NCP negotiation takes place. For PPP to work, LCP options must be negotiated before any NCP activities take place. The debug ppp negotiation command allows you to observe negotiation of the following:

Verifying and Troubleshooting PPP

CHAP authentication. Compression Control Protocol (CCP). NCP protocols IPCP, IPXCP, ATCP, etc.

Verifying and Troubleshooting PPP

When specifically debugging CHAP or PAP authentication, the debug ppp authentication command can be used in place of debug ppp negotiation. The debug ppp authentication command gives you the same output as debug ppp negotiation, but that output is limited to CHAP and PAP authentication events.

Verifying and Troubleshooting PPP

Because debugging output is assigned a high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff.