PAP, PPP Password Authentication Protocol

Description Glossary RFCs Publications Obsolete RFCs


Protocol suite: PPP.
Protocol type:PPP link control protocol.
PPP protocol:0xC023.
MIME subtype:
Working groups:

PAP can authenticate an identity and password for a peer resulting in success or failure.

RFC 1334:

In order to establish communications over a point-to-point link, each end of the PPP link must first send LCP packets to configure the data link during Link Establishment phase. After the link has been established, PPP provides for an optional Authentication phase before proceeding to the Network-Layer Protocol phase.

By default, authentication is not mandatory. If authentication of the link is desired, an implementation MUST specify the Authentication-Protocol Configuration Option during Link Establishment phase.

These authentication protocols are intended for use primarily by hosts and routers that connect to a PPP network server via switched circuits or dial-up lines, but might be applied to dedicated links as well. The server can use the identification of the connecting host or router in the selection of options for network layer negotiations.

PAP provides a simple method for the peer to establish its identity using a 2-way handshake. This is done only upon initial link establishment.

After the Link Establishment phase is complete, an Id/Password pair is repeatedly sent by the peer to the authenticator until authentication is acknowledged or the connection is terminated.

PAP is not a strong authentication method. Passwords are sent over the circuit "in the clear", and there is no protection from playback or repeated trial and error attacks. The peer is in control of the frequency and timing of the attempts.

Any implementations which include a stronger authentication method (such as CHAP) MUST offer to negotiate that method prior to PAP.

This authentication method is most appropriately used where a plaintext password must be available to simulate a login at a remote host. In such use, this method provides a similar level of security to the usual user login at the remote host.

PAP Configuration Options:

00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15
Option Length
Data :::

Option. 8 bits.


Length. 8 bits.

Data. Variable length.



[RFC 1334] PPP Authentication Protocols.


Obsolete RFCs:

Description Glossary RFCs Publications Obsolete RFCs