Configuring PPP for CHAP Authentication

Before we move on to options for PPP, you should know how to configure the basics. Any true geek should be champing at the bit by this point to get going. If you're not champing, then we still have a ways to go to fully convert you.

Basic PPP Configuration Commands

The first thing you need to do is set up PPP on a serial interface using Router(config-if)#encapsulation <PPP | SLIP>. You also need to specify whether the user has a choice about how she wants to access the router. Use the command Router(config-if)#async mode dedicated if you want the user to only access the internal network via this method. If you want the user to be able to run PPP, SLIP, or EXEC tasks, you need to use Router(config-if)#async mode interactive. If you are configuring the async interface for user access only, then you should use the async mode dedicated command. If you need to connect to configure the router, use the async mode interactive command.

Although you have the option of setting up either PPP or SLIP, SLIP isn't a protocol that is being rolled out en masse. You need to know that you can implement SLIP, but most of the knowledge required for the exam is about PPP.

Chances are that the user is using IP so we discuss those commands necessary for addressing. The Router(config-if)# peer default ip address <IP address | pool pool-name | dhcp> command specifies how the user gets an address generated by one of your devices. The pool name option also requires the command Router(config)#ip local pool pool-name starting-address ending-address. If you want the user to specify an address, use Router(config-if)#async dynamic address. You use this command when the user has a static address and the called interface must be in interactive mode. Finally, you can also use IP unnumbered. Table 4.2 explains the commands line-by-line.

Configuring CHAP

Once PPP and addressing are established, it only takes a couple more lines to set up CHAP authentication on two routers. Table 4.3 is a side-by-side comparison. It omits the other configuration information to avoid confusing the issue. Each configuration starts in global configuration mode, with each line explained in the bullet list after the configuration.

• The first line tells the router what its name is. It is the username that actually gets sent when authenticating.

• The second line says, "When authenticating with this device, use this password." So when device One wants to call device Two, it sends its hostname and the listed password. Both the username and password are case sensitive.

• The third line just tells the router we are about to configure interface Serial 1.

• The fourth line tells the router to use PPP encapsulation on this interface.

• The last line tells the router to use CHAP authentication.

Protecting Configuration Contents

Hiding the password as it crosses the circuit is only half the battle; you need to make sure that the password can't be viewed by anyone who isn't supposed to view it. If you're sitting at a console, logged into a router, and viewing the contents of the configuration file when someone walks up behind you, there is a chance that person could view username and password pairs.

Passwords are not scrambled by default, but it is easy to make them scrambled when viewing the configuration file. You can use the command service router-encryption to scramble passwords associated with Telnet, console, usernames in all forms, and so on.

Enabling this command is a one-way process for a password. If there is a password on the system when the command is enabled, the password gets scrambled. If the command is reversed, the scrambled passwords do not become clear text again, but any new passwords remain in clear-text mode in the configuration file. It is not necessary to enable this command to use CHAP. The service password-encryption command only protects passwords as they are stored; CHAP only protects passwords as they cross the WAN.