There are many methods of deploying wide area network (WAN) when using Cisco routers. Some of these methods are HDLC, PPP, Frame Relay, and MPLS. The Point to point protocol is an industry standard WAN protocol that allows for the deployment of secured wide area connections between between routers from different vendors. In this post, I will share with us on how to successfully configure PPP with authentication between two Cisco routers stationed miles apart from each other.
We have two offices that are connected via fiber. Because we want to make sure that this connection is secure, I will be using PPP with username and password set for authentication. Let’s look at the network topology below:
By default, Cisco routers run the high level connection identifier (HDLC) protocol on WAN interfaces. The HDLC protocol is very easy to deploy since it is enabled on the serial interface by default, though, it comes with security vulnerability issues as it does not provide for authentication. To set up PPP, the network admin will have to statically configure the hostname of the remote router as username on the local router and set the password that must be provided during authentication. Because this password will be sent over the link during authentication, we must also specify an encryption method to make sure nobody can pick up this password and use it to illegally gain access to the network.
RouterA(config-if)#clock rate 64000
RouterA(config-if)#ip add 192.168.1.1 255.255.255.252
RouterA(config-if)#ppp authentication chap
RouterA(config-if)#username RouterB pass cisco
RouterB(config-if)#ip add 192.168.1.2 255.255.255.252
RouterB(config-if)#ppp authentication chap
RouterB(config-if)#username RouterA pass cisco
Note that the username set on a ppp router must match the username of the remote device. This is essentially the network admin telling the local PPP router what the hostname of the connecting device should be. If the hostname of the remote device does not match the username set on the local device, the connection will not be established. The password supplied by the remote device must match the password set on the local device. And lastly, chap is better than pap though, both can the set at the same time with the command Router(config-if)#ppp authentication chap pap.
To verify, simply run a ping across the WAN link. If successful, then the PPP authentication was successful. U can also verify the authentication phase by issuing the command debug ppp authentication from the privilege mode. This will report PPP authentication status in real-time. Another way is to use the command debug ppp packets. This will debug packets being sent across the PPP link in real-time.