PPP Authentication with EAP
By stretch | Monday, June 14, 2010 at 2:35 a.m. UTC
Everyone knows the two classic Point-to-Point Protocol (PPP) authentication protocols, PAP and CHAP. More recently, however, Cisco IOS has introduced support for a third protocol more commonly associated with wireless networks: the Extensible Authentication Protocol (EAP).
Although only lightly documented by Cisco, EAP authentication is pretty straight-forward to configure on IOS:
username R2 password 0 Chocolate ! interface Serial1/0 ip address 10.0.0.1 255.255.255.252 encapsulation ppp serial restart-delay 0 ppp authentication eap ppp eap password 0 Vanilla ppp eap local
username R1 password 0 Vanilla ! interface Serial1/0 ip address 10.0.0.2 255.255.255.252 encapsulation ppp serial restart-delay 0 ppp authentication eap ppp eap password 0 Chocolate ppp eap local
The option for EAP authentication was introduced in section 3.2 of RFC 3748 as authentication protocol 0xC227. PPP_EAP.cap demonstrates successful EAP authentication between PPP endpoints configured as shown above. You may notice that it appears quite similar in operation to CHAP authentication.
The PPP cheat sheet has been updated to version 1.2, which now includes EAP under the "authentication protocols" heading.
Currently, IOS' implementation of EAP for PPP doesn't seem to offer any benefit over CHAP: both rely on simple MD5 hashing using a pre-configured static password. It would certainly be nice to see support for more robust EAP methods in the future.
About the Author
Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.
Posted in WAN
August 24, 2015 at 12:02 p.m. UTC