Before we move on to options for PPP, you should know how to configure the basics. Any true geek should be champing at the bit by this point to get going. If you're not champing, then we still have a ways to go to fully convert you. Basic PPP Configuration CommandsThe first thing you need to do is set up PPP on a serial interface using Router(config-if)#encapsulation <PPP | SLIP>. You also need to specify whether the user has a choice about how she wants to access the router. Use the command Router(config-if)#async mode dedicated if you want the user to only access the internal network via this method. If you want the user to be able to run PPP, SLIP, or EXEC tasks, you need to use Router(config-if)#async mode interactive. If you are configuring the async interface for user access only, then you should use the async mode dedicated command. If you need to connect to configure the router, use the async mode interactive command.
Chances are that the user is using IP so we discuss those commands necessary for addressing. The Router(config-if)# peer default ip address <IP address | pool pool-name | dhcp> command specifies how the user gets an address generated by one of your devices. The pool name option also requires the command Router(config)#ip local pool pool-name starting-address ending-address. If you want the user to specify an address, use Router(config-if)#async dynamic address. You use this command when the user has a static address and the called interface must be in interactive mode. Finally, you can also use IP unnumbered. Table 4.2 explains the commands line-by-line.
Configuring CHAPOnce PPP and addressing are established, it only takes a couple more lines to set up CHAP authentication on two routers. Table 4.3 is a side-by-side comparison. It omits the other configuration information to avoid confusing the issue. Each configuration starts in global configuration mode, with each line explained in the bullet list after the configuration.
Protecting Configuration ContentsHiding the password as it crosses the circuit is only half the battle; you need to make sure that the password can't be viewed by anyone who isn't supposed to view it. If you're sitting at a console, logged into a router, and viewing the contents of the configuration file when someone walks up behind you, there is a chance that person could view username and password pairs. Passwords are not scrambled by default, but it is easy to make them scrambled when viewing the configuration file. You can use the command service router-encryption to scramble passwords associated with Telnet, console, usernames in all forms, and so on. Enabling this command is a one-way process for a password. If there is a password on the system when the command is enabled, the password gets scrambled. If the command is reversed, the scrambled passwords do not become clear text again, but any new passwords remain in clear-text mode in the configuration file. It is not necessary to enable this command to use CHAP. The service password-encryption command only protects passwords as they are stored; CHAP only protects passwords as they cross the WAN. |