Setting up a pap authentication on ppp

PAP (password authentication protocol) is a common method for authenticating remote PPP users. Once set up, PAP and CHAP makes your users' dialup scripts simpler and gives you more power over your users (which is the real reason administrators like it so much).

  1. Create /etc/pap - contains only 2 lines: 
    jsmith
mypassword
  2. Edit /etc/ppp/options containing a list of command-line options for pppd (see man pppd for details). Sometimes 'crtscts' is also needed. 
    /dev/modem
57600
defaultroute
+ua /etc/pap
noipdefault
  3. Edit /etc/ppp/pap-secrets - both the username and the password should be enclosed in double quotes. 
    "jsmith"    *       "mypassword"
  4. Edit your dialup script 
    cd
/usr/sbin/pppd connect '/usr/sbin/chat -v "" ATM0 "" ATDT301-555-1212 CONNECT'
cd -
Note that the script is a little simpler than a script that uses the login/password authentication protocol, which looks like this: 
    '' ATZ OK 
    ATM0 OK 
    ATDT301-555-1212
    57600 '' 
    name: jsmith
    ssword: mypassword
    '' ppp
    '~--' ''
In fact, the login name and password must not appear in the 'chat' script, because your ISP may have a broken ppp implementation that still requests a password and login name, even though it requires PAP or CHAP, and may even send you a bogus IP number along with a bogus, unusable route. This can be very confusing to your users.

If you get the message 
    chat: Entering PPP mode.
    chat: Async interface address is unnumbered (Loopback1)
from your ISP, this unequivocally means authentication did not succeed, even if you receive the following lines shortly thereafter (which normally indicate a successful connection): 

    chat: Your IP address is 111.222.33.167. MTU is 1500 bytes^M
    chat: Header compression will match your system.
    chat: ^M
    chat: ~
    chat:  -- got it 
    chat: send (^M)
    pppd: Serial connection established.
    pppd: Using interface ppp0
    pppd: Connect: ppp0 <--> /dev/modem
    pppd: local  IP address 111.222.33.167
    pppd: remote IP address 111.222.33.1
This was taken from an actual 'chat' session. After receiving this bogus IP address (or one similar to this), the output from 'route -n' and 'ifconfig' looked perfectly normal; but no IP connections could be made. In fact, it was not even possible to ping the ppp server.

The "Async interface" message also indicates that the server is a Cisco remote access server such as a 3640.

Of course, your ISP probably may not care that they are giving out bogus IP addresses and may well just give your users a brush-off if they complain. But ISPs will be the first against the wall when the revolution comes.

name

Back