PPP Authentication with EAP

By stretch | Monday, June 14, 2010 at 2:35 a.m. UTC

Everyone knows the two classic Point-to-Point Protocol (PPP) authentication protocols, PAP and CHAP. More recently, however, Cisco IOS has introduced support for a third protocol more commonly associated with wireless networks: the Extensible Authentication Protocol (EAP).

Although only lightly documented by Cisco, EAP authentication is pretty straight-forward to configure on IOS:

R1

username R2 password 0 Chocolate
!
interface Serial1/0
 ip address 10.0.0.1 255.255.255.252
 encapsulation ppp
 serial restart-delay 0
 ppp authentication eap
 ppp eap password 0 Vanilla
 ppp eap local

R2

username R1 password 0 Vanilla
!
interface Serial1/0
 ip address 10.0.0.2 255.255.255.252
 encapsulation ppp
 serial restart-delay 0
 ppp authentication eap
 ppp eap password 0 Chocolate
 ppp eap local

The option for EAP authentication was introduced in section 3.2 of RFC 3748 as authentication protocol 0xC227. PPP_EAP.cap demonstrates successful EAP authentication between PPP endpoints configured as shown above. You may notice that it appears quite similar in operation to CHAP authentication.

The PPP cheat sheet has been updated to version 1.2, which now includes EAP under the "authentication protocols" heading.

Currently, IOS' implementation of EAP for PPP doesn't seem to offer any benefit over CHAP: both rely on simple MD5 hashing using a pre-configured static password. It would certainly be nice to see support for more robust EAP methods in the future.

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in WAN

Comments


aymen911
August 24, 2015 at 12:02 p.m. UTC

thank you

Comments have closed for this article due to its age.