PPP Authentication with EAP
Everyone knows the two classic Point-to-Point Protocol (PPP) authentication protocols, PAP and CHAP. More recently, however, Cisco IOS has introduced support for a third protocol more commonly associated with wireless networks: the Extensible Authentication Protocol (EAP).
Although only lightly documented by Cisco, EAP authentication is pretty straight-forward to configure on IOS:
R1
username R2 password 0 Chocolate ! interface Serial1/0 ip address 10.0.0.1 255.255.255.252 encapsulation ppp serial restart-delay 0 ppp authentication eap ppp eap password 0 Vanilla ppp eap local
R2
username R1 password 0 Vanilla ! interface Serial1/0 ip address 10.0.0.2 255.255.255.252 encapsulation ppp serial restart-delay 0 ppp authentication eap ppp eap password 0 Chocolate ppp eap local
The option for EAP authentication was introduced in section 3.2 of RFC 3748 as authentication protocol 0xC227. PPP_EAP.cap demonstrates successful EAP authentication between PPP endpoints configured as shown above. You may notice that it appears quite similar in operation to CHAP authentication.
The PPP cheat sheet has been updated to version 1.2, which now includes EAP under the "authentication protocols" heading.
Currently, IOS' implementation of EAP for PPP doesn't seem to offer any benefit over CHAP: both rely on simple MD5 hashing using a pre-configured static password. It would certainly be nice to see support for more robust EAP methods in the future.
About the Author
Jeremy Stretch is a freelance networking engineer, instructor, and the maintainer of PacketLife.net. He currently lives in Fairfax, Virginia, on the edge of the Washington, DC metro area. Although primarily an R&S guy, he likes to get into everything, and runs a free network training lab out of his basement for fun. You can contact him by email or follow him on Twitter.