PPPoE

This post is intended for a quick analysis of the PPPoE protocol authentication and its relevant configuration on Cisco routers.

Base Configuration

R1 –


interface GigabitEthernet1.13
encapsulation dot1Q 13
pppoe enable group global
!
bba-group pppoe global
virtual-template 1
!
interface Virtual-Template1
ip address 198.18.0.1 255.255.255.0
!
end


R3-


interface GigabitEthernet1.13
encapsulation dot1Q 13
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address 198.18.0.3 255.255.255.0
encapsulation ppp
dialer pool 1
!
end


Key Points

  1. With a virtual-template PPP is the default encapsulation
  2. A connected route will be generated in the routing table for the PPP neighbor.
  3. This is a basic configuration. Other topics like DHCP are outside of this post.

 

Authentication and Analysis

In this section we will take a look at the means of authentication and analyze the packets involved.

There are two main modes for authenticating the line – PAP and CHAP.

PAP Configuration – Cisco Configuration Link; Cisco Configuration PDF

R1 –


username R3 password cisco
!
interface virtual-template 1
ppp authentication pap
!
end


R3 –


interface dialer1
ppp pap sent-username R3 password cisco
!
end


Key Point - The process is straight forward. The server tells the client in the configuration request that the authentication is PAP. Client responds with its username and password. The username and password is authenticated against the local database.

PAP Packet Capture – PPP PAP PCAP

PPP PAP

 

CHAP – Cisco Configuration Link; Cisco Configuration PDF

Chap isn’t as straight forward and is misleading compared to PAP.

R1 –


username R3 password cisco
!
interface virtual-template 1
ppp authentication chap
!
end


R3 –


username R1 password cisco
!
end


Key Point - The functional difference between PAP and CHAP is that CHAP performs a semi-bidirectional authentication. The server tells the client that the authentication is CHAP. The server during authentication sends its username to the client router. The client router then looks up the password in the database and sends the hash in response with its username. The server then checks the database to confirm.

CHAP Packet Capture – PPP CHAP PCAP

PPP CHAP

 

Scroll to Top