From: Johnson, Charles (Charles.Johnson@xxxxxxxxxx)
Date: Sun Jan 07 2001 - 14:02:14 GMT-3
Shaun,
It sounds like you've got handle on this, but I thought I'd throw my 2 cents at
it:
with 2 routers calling each other
if there is no ppp authen on either end, they dial up and don't authenticate
if ppp authen chap is on one end, it authenticates the other end whether it cal
ls or is called
if ppp authen chap is on each end, they authenticate both ways regardless of wh
ich end placed the call.
if ppp authen chap callin is on one end with no ppp authen on the other, the ch
ap callin router can call the other with no authentication. But, if anything c
alls in to it, it requires CHAP *** the keyword "callin" tells the router to a
uthen only if the connection is treated as a callin ***
if both ends have ppp authen chap callin configured, each end will require CHAP
authen by anything calling in, but it will be one way because the router doing
the dialing will not require authentication. The router dialing treats the co
nnection as callout.
PAP works the same way.
Of course, you have to have all the username and password stuff right for the a
uthentication to succeed. Hope this helps someone out there. Please correct m
e if I'm wrong.
Charles
-----Original Message-----
From: Shaun Nicholson [mailto:Shaun.Nicholson@kp.org]
Sent: Wednesday, January 03, 2001 4:56 PM
To: Earl
Cc: kingmi1; ccielab
Subject: RE: ISDN and CHAP
I dont want to cause an arguement but the ppp auth chap callin will cause only
one end to challange.
The way I understand it is that the callin node will not issue a challange if i
t originates the call.
I thought to use chap on one side you had to use chap on the other.
Please feel free to correct me if I'm wrong
Shaun
Earl@dnssystems.com on 01/03/2001 04:44:00 PM
To: kingmi1@yahoo.com@Internet, ccielab@groupstudy.com@Internet
cc: (bcc: Shaun Nicholson/MD/KAIPERM)
Subject: RE: ISDN and CHAP
You want to use the ppp pap sent-username command to use a different name
other than the router's hostname. In order to keep the other router from
dialing don't configure a dial string.
If you place the ppp auth chap command on a router it will challenge any
router that tries to dial in.
If you do NOT place the ppp auth chap command on a router it will NOT
challenge any router that tries to dial in.
That does NOT mean that you must place the command on both routers in order
to use chap. A router will still try to authenticate itself if challenged.
The password must be the same on both sides as chap will not send the
password.
Remember, the ppp authentication parameter is the challenge method only and
not the method of sending passwords.
Earl Aboytes, CCIE 6097
-----Original Message-----
From: Michael King [mailto:kingmi1@yahoo.com]
Sent: Tuesday, January 02, 2001 7:33 PM
To: ccielab@groupstudy.com
Subject: ISDN and CHAP
I want to use CHAP on one side of the ISDN link and
not the other. I used the "ppp chap refuse callin"
command but when I debug it shows that I'm still using
CHAP. Here are my configs. I specifically wanted to
use a different name other than the hostname on Router
ONE. I also didn't want Router TWO to call. Also,
could this be done by not using Dialer interfaces?
Router ONE
username TWO password cisco
dialer-list 1 protocol ip permit
interface BRI0
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 0835866201 8358662
isdn spid2 0835866401 8358664
ppp authentication chap
interface Dialer1
ip address 1.1.1.2 255.0.0.0
encapsulation ppp
dialer remote-name TWO
dialer string 8358661
dialer pool 1
dialer-group 1
ppp authentication chap
ppp chap hostname mike
Router TWO
username mike password cisco
dialer-list 1 protocol ip permit
interface BRI0
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 0835866101 8358661
isdn spid2 0835866301 8358663
ppp authentication chap
interface Dialer1
ip address 1.1.1.1 255.0.0.0
encapsulation ppp
dialer remote-name mike
dialer pool 1
dialer-group 1
ppp authentication chap
ppp chap refuse callin
Mike
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:23 GMT-3