Password Authentication Protocol (PAP) provides basic security authentication for connections.
The username and password information, however, are transmitted in cleartext, which can be
intercepted by a hacker to compromise the network. Unfortunately, a few older systems support
only PAP and not the more secure CHAP, which mandates PAP’s usage in those cases.
PAP is defined in RFC 1334.
PAP operates by establishing a connection and then checking the username and password information.
If the username and password information matches, an OK message is returned and the session
is allowed to proceed. This is illustrated in Figure 24.7. Note that the username and password
are transmitted in cleartext in PAP—a significant security risk.
PAP usernames and passwords are transmitted in cleartext, reducing the security
benefits of the protocol. Use CHAP whenever possible.
To configure PAP, the administrator needs to configure both the service and a database of
usernames and passwords. The commands used to do this are shown here:
encapsulation ppp
ppp authentication {chap | chap pap | pap chap |
pap} [if-needed] [list-name | default] [callin]
Usernames and passwords are added to the router with the username name password
secret command.
There isn’t much more to PAP—it works with a minimal amount of configuration, in large
part due to its lack of security. Readers should be familiar with the existence of this protocol and
understand that it should not be used in current designs.