Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PAP vs CHAP vs MS-CHAP

Hi,

When using ppp authentication for an analog dial-up modem pool (with TACACS+) is there any reason to require anything more than PAP?

.

..........comments please......thanks in adance.......Jamie

2 REPLIES
Silver

Re: PAP vs CHAP vs MS-CHAP

PAP is less secured that CHAP...In PAP the passwords are sent across the link in clear text and there is no protection from playback or trail-and-error attacks. The remote node is in control of the frequency and timing of the login attempts.

In CHAP the user credentials are hashed & send, there are more advantages using chap over pap....the below two docs have good info on the same.

http://www.cisco.com/warp/public/471/config-pap.html

http://www.cisco.com/warp/public/471/understanding_ppp_chap.html

For info on MSCHAP/ MSCHAP-V2:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122x/122xb/122xb_2/ftmschap.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/113t_3/mschap.htm

Thanks, Mak.

New Member

Re: PAP vs CHAP vs MS-CHAP

Hi Mak,

Thanks for the response. I understand what you're saying but my PAP passwords are only being sent in clear text over the individual analog dial-up lines....not much chance of sniffing there? The actual authentication is handled by TACACS+ which encrypts everything from the a-server to the TACACS+ server. So...PAP should be ok in this scenario or have I missed something.

However, you've tweaked my interested in CHAP but the docs you've provided talk about router to router connections....are there any specific to dial-up modem pool support (56k modem users?) I've tried using CHAP Callin but it fails. I presume the CHAP challenge is a hash of the username and password (of which PPP client and a-server (via TACACS) are aware?

......I'm a little confused here..........thanks for your time.......Jamie

9350
Views
0
Helpful
2
Replies