This post is intended for a quick analysis of the PPPoE protocol authentication and its relevant configuration on Cisco routers.
interface GigabitEthernet1.13 encapsulation dot1Q 13 pppoe enable group global ! bba-group pppoe global virtual-template 1 ! interface Virtual-Template1 ip address 198.18.0.1 255.255.255.0 ! end
interface GigabitEthernet1.13 encapsulation dot1Q 13 pppoe enable group global pppoe-client dial-pool-number 1 ! interface Dialer1 ip address 198.18.0.3 255.255.255.0 encapsulation ppp dialer pool 1 ! end
- With a virtual-template PPP is the default encapsulation
- A connected route will be generated in the routing table for the PPP neighbor.
- This is a basic configuration. Other topics like DHCP are outside of this post.
Authentication and Analysis
In this section we will take a look at the means of authentication and analyze the packets involved.
There are two main modes for authenticating the line – PAP and CHAP.
username R3 password cisco ! interface virtual-template 1 ppp authentication pap ! end
interface dialer1 ppp pap sent-username R3 password cisco ! end
Key Point - The process is straight forward. The server tells the client in the configuration request that the authentication is PAP. Client responds with its username and password. The username and password is authenticated against the local database.
PAP Packet Capture – PPP PAP PCAP
Chap isn’t as straight forward and is misleading compared to PAP.
username R3 password cisco ! interface virtual-template 1 ppp authentication chap ! end
username R1 password cisco ! end
Key Point - The functional difference between PAP and CHAP is that CHAP performs a semi-bidirectional authentication. The server tells the client that the authentication is CHAP. The server during authentication sends its username to the client router. The client router then looks up the password in the database and sends the hash in response with its username. The server then checks the database to confirm.
CHAP Packet Capture – PPP CHAP PCAP