PPP Authentication with EAP

Everyone knows the two classic Point-to-Point Protocol (PPP) authentication protocols, PAP and CHAP. More recently, however, Cisco IOS has introduced support for a third protocol more commonly associated with wireless networks: the Extensible Authentication Protocol (EAP).

Although only lightly documented by Cisco, EAP authentication is pretty straight-forward to configure on IOS:

R1

username R2 password 0 Chocolate
!
interface Serial1/0
 ip address 10.0.0.1 255.255.255.252
 encapsulation ppp
 serial restart-delay 0
 ppp authentication eap
 ppp eap password 0 Vanilla
 ppp eap local

R2

username R1 password 0 Vanilla
!
interface Serial1/0
 ip address 10.0.0.2 255.255.255.252
 encapsulation ppp
 serial restart-delay 0
 ppp authentication eap
 ppp eap password 0 Chocolate
 ppp eap local

The option for EAP authentication was introduced in section 3.2 of RFC 3748 as authentication protocol 0xC227. PPP_EAP.cap demonstrates successful EAP authentication between PPP endpoints configured as shown above. You may notice that it appears quite similar in operation to CHAP authentication.

The PPP cheat sheet has been updated to version 1.2, which now includes EAP under the "authentication protocols" heading.

Currently, IOS' implementation of EAP for PPP doesn't seem to offer any benefit over CHAP: both rely on simple MD5 hashing using a pre-configured static password. It would certainly be nice to see support for more robust EAP methods in the future.