PPP :: PAP | CHAP
You know you're going to see this in some form on the exam. You're more likely to not have to configure a static route than to not have to configure/troubleshoot some form of authentication.
One of the things that caught my attention with PPP is the fact that with PPP, each end installs a local host route for the remote side. This means that you can hammer up a connection between two devices on different subnets. Think about this - doesn't it sound like some stupid thing that could trip someone up if they didn't know it existed? Imagine sitting in front of an exam that tells you to configure a link between two IPs that are not on the same subnet - and you're looking at it and wondering wtf? You know that if you were back at work, you would use a /30 for that damn link. But you're not at work - and you have to find the answer/solution that fits within the constraints given on the exam. Sure, you could skip it and miss those two lousy points. But wait - what if other things need to also be configured across that link? If you don't get that link up the way they specified, you could lose a lot more than 2 points. It could break a number of things - and then you just had the most expensive lunch of your life.
Items to note:
Authentication is ONE WAY!! You have a request and a response. The request goes in one direction and the response goes in the other. If you want to configure _MUTUAL_ authentication, you have to configure two separate requests (and their companion responses).
Remember - this comes from the old dial-up days where you authenticated with your ISP. Your ISP didn't authenticate back to you. If you remember that, you'll remember the most important thing - where to find it in the documentation! You will NOT find it in the IOS 15.3M&T Configuration Guides. You have to go to the earlier versions of IOS - go to 12.4T -- Dial and Access -- Cisco IOS Dial Technologies Configuration Guide -- Part 9 : PPP Configuration.
You're looking for Media-Independent PPP and Multilink PPP. There's not much they can ask you to do that couldn't be found there. Just be careful - since their configuration examples may be a bit more than you need.
% PAP %
## Authentication Request:
ppp authentication pap
## Authentication Response:
no ppp pap refuse
ppp pap sent-username [username] password [password]
Example:
So for our example:
R1#
(global config)
username R3 password iamme
(interface config)
ppp authentication pap
R3#
(interface config)
no ppp pap refuse
ppp pap sent-username R3 password iamme
It's that simple. Using the same scenario and configuring CHAP instead of PAP:
R1#
(global config)
username RTR3 password iamme2
(interface config)
ppp authentication chap
R3#
(interface config)
no ppp chap refuse
ppp chap sent-username RTR3 password iamme2
OR
ppp chap password iamme2
For CHAP, the hostname is the default username. If that is not what is in your database for authentication, you need to use the "sent-username" form instead.
!!! Make sure that when you put the username in the global config, that you do not use "username xxx secret yyy" or else you will be sending a hash of the hashed password instead of the hash itself. Authentication will fail.