Point-to-Point authentication (PAP Vs. CHAP)

In computer networking, authentication protocol is a type of security that allows authentication between nodes willing to exchange data securely. In a PPP protocol encapsulation, there are two main authentication protocols: PAP and CHAP.

A point to point or PPP for short is a layer 2 protocol used in computer networking to directly connect two nodes. PAP and CHAP are used not to encrypt data, but so that the nodes will confirm the truth about themselves before data can be transmitted.

Password Authentication Protocol or PAP is rarely used now a day. PAP is less secure and, like TELNET, sends password in plain (clear) text over the medium. With a simple password sniffer a hacker can steal the password, and we all know what happen next.

CHAP, the Challenge Handshake Authentication Protocol is more secure and almost unbreakable. Here is how it works: CHAP will never send the password over the medium. Although it is configured on both nodes, it will send the username and a password hash instead!!!
CHAP does not use encryption at all, hashing is different from encryption. Encryption will scrambled the original data from the source, and the receiving node will use a decryption formula to decrypt and get the original data.

Let’s see this on a Cisco router. Password configuration on the router

After we have configured the enable and the secret passwords, and issued the service password-encryption command, the show run is as shown below

Now we can simply search for a Cisco type 7 password decrypter over the internet, copy and paste the encrypted password and get it in clear text as seen below

Encryption can be reversed or broken, thus recommended to use. Hashing uses an irreversible encrypted formula to come up with a value, and the value is then sent over the medium to the receiving node. Remember that this is not encrypting but hashing.

The only way the receiving router will be able to authenticate is if it has the same password configured. The same password configuration will generate the same hash on both nodes.

Therefore, for CHAP to work correctly over PPP, we have to have the same password configured on the sending and receiving machine. The technique that the password is never sent over the link, but the hash which is the result of a mathematical formula is. See below

Back to the routers screen shots

The enable secret password with a 5 represents and MD5 hashing, so secure that It can’t be reversed.

This concept of PPP authentication came up this morning at 3.20 when I was watching a video, so I decided to share it. I know there is a lot more on to it, but thinking back I remember not to have focused on this concept on the CCNA. To finish, it is not recommended to use the enable password, but the secret password instead. Although the service encryption command encrypts the first, it is easily reversible. In the other hand the later, the secret password uses MD5 hash and the password is never sent over the wire. In order for authentication to succeed, the same password must be configured on both nodes.


Thank you for your comments and questions...

My home Office Lab

Do you know Scott Morris? Yes probably, look at his Ubber lab!!!!!

Scott Morris is my idol, this man is a networking Gig. Amazing, his qualification are!!!! Look at his resume, and it goes on and on. 4 times CCIE, believe me 4 times. I know some few other people have achieve it, but this guy’s curriculum Vitae is heart backing and scary to 90% of employers out there.

When I first saw his lab on the internet, I could not believe someone would keep such equipment in his at home. But read his stories and followed his advices, and let me tell you that they paid off! The more I when on studying computers and networking in particular, I understood the benefits of having a real routers and switches.

I have worked with fellow students and classmates, very smart guys and even smarter than I am. Reading books is a very good thing, but relying on them only is not enough. We all know how lab sessions are run in colleges or universities! Many won’t allow students to use the lab outside the lab cessions, and will rely on virtual labs such as the Cisco packet tracer or the Graphic Network Simulator GNU3. GNU3 is a freeware, open-source, that can be downloaded free of charge.

Simulations are good tools for your certifications and work most of the times, but real gears do not always work the way you want as there can be many logical and physical constraint.

My point is that not having hands on real gears is not ideal for a computer network student. Having HANDS-ON real router, switches, etc. will strengthen your knowledge. As I said before, I have helped a lot of smarter classmates, just because I own the lab shown below. A lab will allow you to practice, gain confidence, and eliminate fear. I can assure you that a lot of University students are confused when they see a router or a switch; some do not know how to identify a DCE and DTE. If the device is password protected, it is game over.

My first cisco gear was a Cisco 2511 router, bought from an eBay seller and was password protected. The first impression was a disappointment, how on earth does someone sell a router that is password protected? I then realised that some eBay sellers don’t have the technical knowledge about the items they are selling. I spent 1 day researching and trying to use the Ctrl+Break keys to enter the ROM Monitor, and in the end I did it. But it does not end there, doing this in a regular basis allowed me the master the process and discover and build some few tips of my own.

So below is my home lab, this lab keeps me busy...

Please send your tips and comments!!!!!!!

IP Helper

IP address assignment can be static or dynamic. Statically assigned IP address is manually configured by the system administrator, whereas a dynamic IP address also called DHCP automatically configured via a DHCP server.

DHCP allows individual computers to request their IP addresses from a DHCP server, which has been configured to lease addresses to clients. A DHCP malfunction will lead to clients APIPA address auto assignment, and therefore network communication failure.

In order to obtain a lease, the interaction between client and the server has to take place. A series of UDP Broadcast messages exchange are:

• DHCP Discover. Broadcast message set when the client is connected for the first time
• DHCP Offer. The server has received the DHCP Discover from the client, it then replies with an IP address offer. The offer has additional configurations such as the default gateway, the subnet mask, the DNS server, etc...
• DHCP Request. The client has checked the Offer, that’s good, then sends a request “Yes fine by me, please send me this address”.
• DHCP ACK. This message acknowledges the client’s request, “OK, you can use this address”. At this point the client can join the network and exchange information.

There are other DHCP messages such as DHCP Nack, or DHCP Decline, etc… please visit Microsoft TechNet for more information.
IP Helper

There are times when client computers are not in the same subnet as the DHCP server. In this situation, some clients might talk the server, thanks to the IP helper to make it possible. The IP helper feature allows layer 3 switches or router to relay clients DHCP requests to remote servers.

The router or the switch will receive broadcast messages (UDP service) from clients, and then forward them through unicast to the server’s address initially configured.
IP helper configuration is very efficient and fun. In my experience, it has been one of the most amazing commands I have used so far. I used it for the first time when I was configuring VLANs for a local school…

In order to successfully implement IP Helper, below is a basic recommendation guide:

• Make sure the client computer IP settings is configures to acquire its IP address via DHCP
• Make sure the server has the correct address pool configured
• Make sure the address pools have enough IP addresses for the clients
• Make sure the pools are configures with the clients subnets and/or default gateway
• Make sure the IP helper is configured on the router

IP helper configuration

A cisco router ip helper command as below

Router(config-if)#ip helper-address [server IP Address here]
Router(config-if)#exit

A Cisco switch ip helper command

Switch(config-if)#no switchport ##no switchport command first raise the port from layer 2 to layer 3 port
Switch(config-if)#ip help
Switch(config-if)#ip helper-address [DHCP server ip address here]

More about IP helper configuration

Wild Card Mask

The wild card mask or inverse mask is used to tell the routing protocol which part of the IP address is significant. In Cisco IOS systems they are used in routing protocols such as EIGRP, OSPF, etc… and Access Control List (ACL).

Example 1

This is an example of an IP address with a wild card mask.
Ok, but what does it mean?

Where ever there is a 0 (zero) on the wild card mask, it means this is a significant bit and has to be looked at.

• Look at 113
• Look at 2
• Look at 34

Where ever we see a 255 on the wild card mask, means do not care.

Do not care about 0

So in the example above the routing protocol will look at the first three octets, 113.2.34, only.
If the command such as “network 113.2.34.0 0.0.0.255” is used on Cisco IOS, the routing protocol will be activated on every interfaces with IP addresses starting with 113.2.34

Example 2

This is an IP address with a wild card mask of all zero.

• Every octet is significant
• There has to be an exact match

Example 3

• The first two octets are significant (113.2)
• The last two are not looked at

Note: please make sure you understand that the wild card mask do not influence how a network is being advertised, meaning what the advertised mask or the slash (/..) will be. In the example above, if the network was 113.2.34.0 /30, the /30 will be gossiped across to the neighbour regardless of the wild card mask.