Introduction to PPP on Cisco IOS Router

PPP is one of the WAN protocols that you can configure on Cisco IOS routers. We will take a look how PPP works and how to configure it. Do you still remember how the OSI model works?

PPP operates on the data link layer (layer 2) but as you can see the data link layer has been split into two pieces:

NCP: Network Control Protocol
LCP: Link Control Protocol

Let’s start with LCP:

LCP takes care of setting up the link. If you enable authentication for PPP it will take care of authentication. Once the link has been setup we use NCP.

NCP will make sure you can run different protocols over our PPP link like IP, IPv6 but also CDP (Cisco Discovery Protocol) and older protocols like IPX or AppleTalk.

So in short if you enable PPP on both routers this is what happens:

LCP: Takes care of setting up the link.
(Optional): Authentication.
NCP: Makes sure we can send IP and other protocols across our PPP link.

Let’s see what authentication is about:

I have two routers; the router on the left side is called R1. If you want to use authentication for PPP you have two options:

PAP (Password Authentication Protocol): This is plaintext! It will send the username and password over the PPP link and the router on the other side will check it.
CHAP (Challenge Authentication Protocol): Instead of sending the password in plaintext we are going to send a “challenge” which is a hash of the password. This is far more secure.

In the example above we are using PAP:

On the left side we have a router with hostname R1.
On the right side we have a router without a hostname but it has the username R1 and password VIDEO configured in a local database.
PPP will start setting up the link by using LCP.
Since authentication is enabled our router on the right side will authenticate R1:
- R1 will send its hostname and the password in plaintext.
- The router on the right side will accept or deny the credentials.
- If everything is ok PPP will work and we are authenticated.

PAP is very simple but sending a username and password in plaintext is not a very secure method. Let’s see how CHAP works:

Forum Replies

Hi Rene,

Could you give any practical example for the usage of PPP ?

I am still interested in understanding the usage part for this protocol.

How about a PAP example too? I used the following commands:

Username TRINITY password cisco

int s0/0
   encapsulation ppp
   ppp authentication pap
   ppp pap sent-username NEO password cisco

But I get the following error:

AAA/AUTHEN/PPP (0000010F): Pick method list 'default'

Hello Chris

In order for PPP authentication to use the PAP password that you have configured, it is necessary to specify the method by which AAA will occur for PPP. By default, the local database is used, that is the credentials created with the username my_username password my_password command. If that has not been set, then authentication cannot take place. Note that what you have configured about is the “calling” side. The other side must be configured with this username and password.

Cisco has excellent documentation on how to set up the PAP connection

... Continue reading in our forum

Hello team

When we want to enable serial authentication between two routers via PAP or CHAP, do we have to configure both routers as authenticator and to be authenticated for each one? In your CHAP example configuration could we consider R1 as authenticator and omit the command ppp authentication CHAP in R2 as R2 will be the to be authenticated router? Also even if a router is to be authenticated router, does it need the command ppp authentication PAP / CHAP?

@jmwalker24 The reason you would care is if you are an ISP. If you are serving customers a DSL connection you want to making sure only paying customers can use your network. Since PPPoE (which uses PPP )is used for DSL connections you can use PAP and CHAP authentication to keep unwanted users off your network. I hope this helps!

Thanks,
Scott Weller

24 more replies! Ask a question or join the discussion by visiting our Community Forum