Password Authentication Protocol (PAP) is a simple, plaintext authentication scheme. The user name and password are requested by the remote access server and returned by the remote access client in plaintext. PAP, however, is not a secure authentication protocol. A person capturing the PAP packets between the remote access server and remote access client can easily determine the remote access client's password. PAP offers no protection against replay attacks, remote client impersonation, or remote server impersonation.
The use of PAP is negotiated during LCP negotiation by specifying the authentication protocol LCP option (type 3) and the authentication protocol 0xC0-23. Once LCP negotiation is complete, PAP messages use the PPP protocol ID of 0xC0-23.
PAP is a simple exchange of messages:
The remote access client sends a PAP Authenticate-Request message to the remote access server containing the remote access client's user name and clear text.
The remote access server checks the user name and password and sends back either a PAP Authenticate-Ack message when the user's credentials are correct, or a PAP Authenticate-Nak message when the user's credentials are not correct.
PAP is included in Windows 2000 so that remote access clients running Windows 32-bit operating systems can connect to older remote access servers that do not support a secure authentication protocol, and remote access clients not running Microsoft operating systems that do not support a secure remote access protocol can connect to a remote access server running Windows 32-bit operating systems.
To make your remote access server more secure, ensure that PAP is disabled. However, older remote access clients not running Microsoft operating systems that do not support secure authentication protocols are unable to connect.