Password Authentication Protocol (PAP)

PPP support different option that can be configured optionally.  One of these options is authentication.  The authentication option provides a method to negotiate the use of a particular protocol for Authentication. By default, authentication is not required. Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) can be used for PPP links authentication which is defined in RFC 1334

Password Authentication Protocol is a basic two-way process used to authenticate a user’s password. The username and password are sent in plain text without any encryption. If it is accepted, the connection is allowed. As an authentication protocol, PAP is the least secure because the password is sent in plain text.

The figure below illustrates the process of PAP.  R1 sends its PAP user name and password to R2. R2 evaluate R1’s user name and password against its local database. If it matches, it accepts the connection and accepts the message. If not, it rejects the connection and sends a reject message.


The command “ppp authentication pap” is used for PPP authentication. When the command is entered, the username and password are sent as one LCP data packet. After PPP completes the link establishment phase, the remote node constantly sends a username with password across the link until the receiving node acknowledges the connection or terminates the connection.

The receiving node checked the username-password using an authentication server that either allows or denies the connection. If the connection is accepted, it sends the connection acknowledgement message otherwise it returned the reject message. Password Authentication Protocol authenticates only during establishing a connection, it never re-authenticate after connection establishment. This is a network vulnerability to the attacker; they can attack using this area.

Password Authentication Protocol can be used where a large installed base of client applications that do not support CHAP.  Password Authentication Protocol can also be important between different vendor equipment, where implementations of CHAP are not compatible. It is also used where a plaintext password is necessary to simulate a login at the remote host

Configuring PAP Authentication

Now we know the basic information about PAP. We know that PAP is a two-way authentication protocol. Both routers authenticate and are authenticated. The PAP username and password that each router sends must match those configured with the username name password password command of the other router.

PAP only did authentication during initial link establishment. The hostname on one router must match the username the other router has configured for PPP. The passwords must also match. Specify the username and password parameters, The PAP configuration for the above topology is the following:-

Router R-1 (Remote Site)


Router#config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname R1

R1(config)#username R2 password ccna12345

R1(config)# interface serial0/0/0

R1(config-if)#no shut

R1(config-if)# ip address

R1(config-if)# ipv6 address 2001:AD01:BD00::1/64

R1(config-if)# clock rate 64000

R1(config-if)#encapsulation PPP

R1(config-if)#ppp authentication pap


Router R-2 (Central Site)


Router#config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname R2

R2(config)#username R2 password ccna12345

R2(config)# interface serial0/0/0

R2(config-if)#no shut

R2(config-if)# ip address

R2(config-if)# ipv6 address 2001:AD01:BD00::2/64

R2(config-if)# clock rate 64000

R2(config-if)#encapsulation PPP

R2(config-if)#ppp authentication pap