Skip to content

    Study Notes — PPP and PPP Authentication

    Sources:

    • IPexpert BLS class-on-demand
    • IPexpert v.10 Workbook 2
    • InternetworkExpert ATS CoD v4.5

    Notes — PPP General:

    • By default, PPP will inject a directly-connected /32 route for the remote end into each device’s routing table.  Can be safely disabled unless both ends of the link are not on the same logical IP subnet (e.g. one side or both sides are using ‘ip unnumbered’).  To disable, use the ‘no peer-neighbor-route' interface-level command.
    • The ‘ppp quality‘ interface-level command enables Link Quality Monitoring (LQM), which will bring down the interface if the number of bytes transmitted vs. received over a link falls below a given percentage.
    • The ‘ppp reliable-link‘ command enables LAP-B numbered mode to negotiate a reliable link.

    Notes — PPP Multilink

    • The ‘ppp multilink links minimum‘ interface option (under the Multilink interface) specifies how many physical circuits must be up before the bundle comes up.  The ‘mandatory‘ option brings the bundle down if the number of active links falls below the minimum.

    Notes — PPP Authentication:

    • The ‘ppp authentication <protocol>‘ command is only required on the side of the link that is issuing the challenge (the “server” side).  This may also be referred to as the side that’s “doing authentication” or that is “authenticating <OtherRouter>”
    • CHAP (and EAP) will use the hostname of the router as the username, by default.  PAP requires the username to be explicitly specified with the ‘ppp pap sent-user‘ command. If you need to use a different username, you can specify it using the ‘ppp chap hostname‘ or ‘ppp eap identity‘ commands.
    • For CHAP, if you don’t want to specify the global username/password combo on the client (or you don’t know the server’s hostname), you can specify just the password to be sent to any remote authentication challenge with the ‘ppp chap password‘ command at the interface level.
    • If you want to use the same username in both directions with CHAP, use the ‘no ppp chap ignoreus‘ interface-level command, since by default CHAP will refuse to authenticate with “ourself” if the hostname matches.
    • EAP is an additional “secure” protocol distinct from CHAP.  MS-CHAP and MS-CHAPv2 probably aren’t “different enough” from CHAP to satisfy a lab requirement of two different secure protocols.
    • You must specify ‘ppp eap local‘ for EAP to work unless you have a radius server available.
    • EAP doesn’t use the shared password from the ‘username‘ statement when responding to a challenge.  You need to specify the password using ‘ppp eap password <pass>

    Posted in CCIE.

    Tagged with , , , , , , .

    No comments

    By Brian Landers November 15, 2008

    0 Responses

    Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



    Some HTML is OK

    or, reply to this post via trackback.

    « »