From: fwells12 (fwells12@xxxxxxxxxxx)
Date: Thu Jan 04 2001 - 06:01:19 GMT-3
This makes complete sense. By adding only CHAP authentication to your own
NAS server for example, you can protect yourself against whoever dials into
it -regardless of whether they have their PPP settings configured to use
CHAP or not.
The NAS would challenge any and all connections.
----- Original Message -----
From: Earl Aboytes <Earl@dnssystems.com>
To: 'Shaun Nicholson' <Shaun.Nicholson@kp.org>; Earl Aboytes
<Earl@dnssystems.com>
Cc: kingmi1 <kingmi1@yahoo.com>; ccielab <ccielab@groupstudy.com>
Sent: Wednesday, January 03, 2001 2:22 PM
Subject: RE: ISDN and CHAP
> Try it in your lab. If you don't configure it on one side there will
still
> be a challenge and the router that is challenged will try to authenticate
> itself via the correct method. I have gotten this to work many times.
> Earl Aboytes, CCIE 6097
>
> -----Original Message-----
> From: Shaun Nicholson [mailto:Shaun.Nicholson@kp.org]
> Sent: Wednesday, January 03, 2001 1:56 PM
> To: Earl
> Cc: kingmi1; ccielab
> Subject: RE: ISDN and CHAP
>
> I dont want to cause an arguement but the ppp auth chap callin will cause
> only one end to challange.
>
> The way I understand it is that the callin node will not issue a challange
> if it originates the call.
>
> I thought to use chap on one side you had to use chap on the other.
>
> Please feel free to correct me if I'm wrong
>
> Shaun
>
>
>
>
> Earl@dnssystems.com on 01/03/2001 04:44:00 PM
> To: kingmi1@yahoo.com@Internet, ccielab@groupstudy.com@Internet
> cc: (bcc: Shaun Nicholson/MD/KAIPERM)
> Subject: RE: ISDN and CHAP
>
> You want to use the ppp pap sent-username command to use a different name
> other than the router's hostname. In order to keep the other router from
> dialing don't configure a dial string.
>
> If you place the ppp auth chap command on a router it will challenge any
> router that tries to dial in.
>
> If you do NOT place the ppp auth chap command on a router it will NOT
> challenge any router that tries to dial in.
>
> That does NOT mean that you must place the command on both routers in
order
> to use chap. A router will still try to authenticate itself if
challenged.
> The password must be the same on both sides as chap will not send the
> password.
>
> Remember, the ppp authentication parameter is the challenge method only
and
> not the method of sending passwords.
>
>
>
> Earl Aboytes, CCIE 6097
>
> -----Original Message-----
> From: Michael King [mailto:kingmi1@yahoo.com]
> Sent: Tuesday, January 02, 2001 7:33 PM
> To: ccielab@groupstudy.com
> Subject: ISDN and CHAP
>
> I want to use CHAP on one side of the ISDN link and
> not the other. I used the "ppp chap refuse callin"
> command but when I debug it shows that I'm still using
> CHAP. Here are my configs. I specifically wanted to
> use a different name other than the hostname on Router
> ONE. I also didn't want Router TWO to call. Also,
> could this be done by not using Dialer interfaces?
>
> Router ONE
> username TWO password cisco
> dialer-list 1 protocol ip permit
>
> interface BRI0
> encapsulation ppp
> dialer pool-member 1
> isdn switch-type basic-ni
> isdn spid1 0835866201 8358662
> isdn spid2 0835866401 8358664
> ppp authentication chap
>
> interface Dialer1
> ip address 1.1.1.2 255.0.0.0
> encapsulation ppp
> dialer remote-name TWO
> dialer string 8358661
> dialer pool 1
> dialer-group 1
> ppp authentication chap
> ppp chap hostname mike
>
> Router TWO
> username mike password cisco
> dialer-list 1 protocol ip permit
>
> interface BRI0
> encapsulation ppp
> dialer pool-member 1
> isdn switch-type basic-ni
> isdn spid1 0835866101 8358661
> isdn spid2 0835866301 8358663
> ppp authentication chap
>
> interface Dialer1
> ip address 1.1.1.1 255.0.0.0
> encapsulation ppp
> dialer remote-name mike
> dialer pool 1
> dialer-group 1
> ppp authentication chap
> ppp chap refuse callin
>
>
> Mike
>
>
>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:22 GMT-3