What is Password Authentication Protocol?
Password Authentication Protocol (PAP) is a very basic two-way process. The username and password are sent in plain text, there is no encryption or protection. If it is accepted, the connection is allowed. PAP is not interactive in anyway, PAP is not considered a strong authentication protocol.
When the ppp authentication pap command is used, the username and password are sent as one LCP data package, rather than the server sending a login prompt and waiting for a response.
Although, PAP cannot be said to be a very strong authentication protocol but, there are times when using PAP can be justified. PAP may be used in the following situations:
i. When an installed network applications does not support CHAP
ii. Incompatibilities between different vendor implementations of CHAP
iii. Circumstances where a plain text password must be available to simulate a login at the remote host
How to configure PAP on a Cisco router interface
The process outlined below describes how to configure PPP encapsulation and PAP authentication protocols.
Before PAP configuration, we assumed that all interface IP addresses had been configured as the case may be.
HQ(config)#username RO password orbit
HQ(config-if)#ppp authentication PAP
HQ(config-if)#ppp pap sent-username HQ password orbit
Remote Office router
RO(config)#username HQ password orbit
RO(config-if)#ppp authentication PAP
RO(config-if)#ppp pap sent-username RO password orbit
The example above is of a two-way PAP authentication configuration. Both routers authenticate and are authenticated, so the PAP authentication commands emulate each other. The PAP username and password that each router sends must match those specified with the username name password password command of the other router
PAP provides a simple method for a remote host to establish its identity using a two-way handshake. This is done only on initial link establishment. The hostname on one router must match the username the other router has configured. The passwords do not have to match.