What is the Password Authentication Protocol?
The Password Authentication Protocol (PAP) is a simple authentication protocol used in networking environments. It operates by having the user send a username and password to the server, which are then verified against a known list of usernames and passwords. If it is accepted, the connection is allowed. PAP is not interactive in any way, PAP is not considered a strong authentication protocol.
PAP is straightforward to implement but insecure because it sends the password over the network in plain text, making it vulnerable to interception.
This protocol is often used in older or less secure systems where simplicity is prioritized over security.
When the ppp authentication pap command is used, the username and password are sent as one LCP data package, rather than the server sending a login prompt and waiting for a response.
Although, PAP cannot be said to be a very strong authentication protocol, there are times when using PAP can be justified. PAP may be used in the following situations:
i. When an installed network application does not support CHAP
ii. Incompatibilities between different vendor implementations of CHAP
iii. Circumstances where a plain text password must be available to simulate a login at the remote host
How to configure PAP on a Cisco router interface
The process outlined below describes how to configure PPP encapsulation and PAP authentication protocols.
Before PAP configuration, we assumed that all interface IP addresses had been configured as the case may be.
HQ router
HQ#config t
HQ(config)#username RO password orbit
HQ(config)#interface se0/0/0
HQ(config-if)#encapsulation ppp
HQ(config-if)#ppp authentication PAP
HQ(config-if)#ppp pap sent-username HQ password orbit
HQ(config-if)#end
Remote Office router
RO#Config t
RO(config)#username HQ password orbit
RO(config)#interface se0/0/0
RO(config-if)#encapsulation ppp
RO(config-if)#ppp authentication PAP
RO(config-if)#ppp pap sent-username RO password orbit
RO(config-if)#end
The example above is of a two-way PAP authentication configuration. Both routers authenticate and are authenticated, so the PAP authentication commands emulate each other. The PAP username and password that each router sends must match those specified with the username name password command of the other router
Summary:
PAP provides a simple method for a remote host to establish its identity using a two-way handshake. This is done only on initial link establishment. The hostname on one router must match the username the other router has configured. The passwords do not have to match.
