PAP vs CHAP vs MS-CHAP

jimbostan · ‎06-11-2003

Hi,

When using ppp authentication for an analog dial-up modem pool (with TACACS+) is there any reason to require anything more than PAP?

.

..........comments please......thanks in adance.......Jamie

makchitale · ‎06-11-2003

PAP is less secured that CHAP...In PAP the passwords are sent across the link in clear text and there is no protection from playback or trail-and-error attacks. The remote node is in control of the frequency and timing of the login attempts.

In CHAP the user credentials are hashed & send, there are more advantages using chap over pap....the below two docs have good info on the same.

http://www.cisco.com/warp/public/471/config-pap.html

http://www.cisco.com/warp/public/471/understanding_ppp_chap.html

For info on MSCHAP/ MSCHAP-V2:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122x/122xb/122xb_2/ftmschap.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/113t_3/mschap.htm

Thanks, Mak.

jimbostan · ‎06-11-2003

Hi Mak,

Thanks for the response. I understand what you're saying but my PAP passwords are only being sent in clear text over the individual analog dial-up lines....not much chance of sniffing there? The actual authentication is handled by TACACS+ which encrypts everything from the a-server to the TACACS+ server. So...PAP should be ok in this scenario or have I missed something.

However, you've tweaked my interested in CHAP but the docs you've provided talk about router to router connections....are there any specific to dial-up modem pool support (56k modem users?) I've tried using CHAP Callin but it fails. I presume the CHAP challenge is a hash of the username and password (of which PPP client and a-server (via TACACS) are aware?

......I'm a little confused here..........thanks for your time.......Jamie