From: Johnson, Charles (Charles.Johnson@xxxxxxxxxx)
Date: Sun Jan 07 2001 - 21:42:37 GMT-3
Yes. I thought my note was long winded, so I just said "you have to have all t
he username and password stuff right"
You have to have the username and password of the other router in your config.
As you said, for CHAP, the passwords must be the same. I think it is good pra
ctice to put usename/password statements in global config on both sides. It wo
uld never be considered an extra command, even though there is a way around it
in a router that is being authenticated by the other end. That router can use
the "ppp chap password" interface command and leave off the global usename/pass
word command.
Charles
-----Original Message-----
From: Padhu (LFG) [mailto:padhu@steinroe.com]
Sent: Sunday, January 07, 2001 4:53 PM
To: Johnson, Charles; 'Shaun Nicholson '; 'Earl '
Cc: 'kingmi1 '; 'ccielab '
Subject: RE: ISDN and CHAP with Different passwords problem
I tried this ..works only with the chap passwords being the same ...with
different passwords doesn't work..is that normal or am i breaking the rules
here ??? ( i'll try this again and post the actual config later tonite)
...changing both chap passwords to cisco works. debug ppp auth
show md/des compare failed...
This is what i did :(just the relevant config)
R1:
username router5 password pasword5
int bri 0
dialer map ip 170.10.1.5 name router5 2010014 broadcast
encap ppp
ppp auth chap
ppp chap hostname router1
ppp chap password password1
R5:
username router1 password pasword1
int bri 0
dialer map ip 170.10.1.1 name router1 2010012 broadcast
encap ppp
ppp auth chap
ppp chap hostname router5
ppp chap password password5
-----Original Message-----
From: Johnson, Charles
To: Shaun Nicholson; Earl
Cc: kingmi1; ccielab
Sent: 1/7/01 11:02 AM
Subject: RE: ISDN and CHAP
Shaun,
It sounds like you've got handle on this, but I thought I'd throw my 2
cents at it:
with 2 routers calling each other
if there is no ppp authen on either end, they dial up and don't
authenticate
if ppp authen chap is on one end, it authenticates the other end whether
it calls or is called
if ppp authen chap is on each end, they authenticate both ways
regardless of which end placed the call.
if ppp authen chap callin is on one end with no ppp authen on the other,
the chap callin router can call the other with no authentication. But,
if anything calls in to it, it requires CHAP *** the keyword "callin"
tells the router to authen only if the connection is treated as a callin
***
if both ends have ppp authen chap callin configured, each end will
require CHAP authen by anything calling in, but it will be one way
because the router doing the dialing will not require authentication.
The router dialing treats the connection as callout.
PAP works the same way.
Of course, you have to have all the username and password stuff right
for the authentication to succeed. Hope this helps someone out there.
Please correct me if I'm wrong.
Charles
-----Original Message-----
From: Shaun Nicholson [mailto:Shaun.Nicholson@kp.org]
Sent: Wednesday, January 03, 2001 4:56 PM
To: Earl
Cc: kingmi1; ccielab
Subject: RE: ISDN and CHAP
I dont want to cause an arguement but the ppp auth chap callin will
cause only one end to challange.
The way I understand it is that the callin node will not issue a
challange if it originates the call.
I thought to use chap on one side you had to use chap on the other.
Please feel free to correct me if I'm wrong
Shaun
Earl@dnssystems.com on 01/03/2001 04:44:00 PM
To: kingmi1@yahoo.com@Internet, ccielab@groupstudy.com@Internet
cc: (bcc: Shaun Nicholson/MD/KAIPERM)
Subject: RE: ISDN and CHAP
You want to use the ppp pap sent-username command to use a different
name
other than the router's hostname. In order to keep the other router
from
dialing don't configure a dial string.
If you place the ppp auth chap command on a router it will challenge any
router that tries to dial in.
If you do NOT place the ppp auth chap command on a router it will NOT
challenge any router that tries to dial in.
That does NOT mean that you must place the command on both routers in
order
to use chap. A router will still try to authenticate itself if
challenged.
The password must be the same on both sides as chap will not send the
password.
Remember, the ppp authentication parameter is the challenge method only
and
not the method of sending passwords.
Earl Aboytes, CCIE 6097
-----Original Message-----
From: Michael King [mailto:kingmi1@yahoo.com]
Sent: Tuesday, January 02, 2001 7:33 PM
To: ccielab@groupstudy.com
Subject: ISDN and CHAP
I want to use CHAP on one side of the ISDN link and
not the other. I used the "ppp chap refuse callin"
command but when I debug it shows that I'm still using
CHAP. Here are my configs. I specifically wanted to
use a different name other than the hostname on Router
ONE. I also didn't want Router TWO to call. Also,
could this be done by not using Dialer interfaces?
Router ONE
username TWO password cisco
dialer-list 1 protocol ip permit
interface BRI0
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 0835866201 8358662
isdn spid2 0835866401 8358664
ppp authentication chap
interface Dialer1
ip address 1.1.1.2 255.0.0.0
encapsulation ppp
dialer remote-name TWO
dialer string 8358661
dialer pool 1
dialer-group 1
ppp authentication chap
ppp chap hostname mike
Router TWO
username mike password cisco
dialer-list 1 protocol ip permit
interface BRI0
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-ni
isdn spid1 0835866101 8358661
isdn spid2 0835866301 8358663
ppp authentication chap
interface Dialer1
ip address 1.1.1.1 255.0.0.0
encapsulation ppp
dialer remote-name mike
dialer pool 1
dialer-group 1
ppp authentication chap
ppp chap refuse callin
Mike
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:23 GMT-3