From: Dirar Hakeem (dirarhakeem@xxxxxxxxx)
Date: Tue May 08 2001 - 16:52:09 GMT-3
Having one way authentication means only one of the
routers sends a challange and the other sends the
reply; however the the hash is calculated locally, and
in order to come up with the same hash value on both
ends,given that in CHAP the password never gets sent
accross the line, you need to have the same password
on both routers.
--- Rob Webber <rwebber@callisma.com> wrote:
> Actually I don't think I agree that the password
> needs to be the same on
> both routers. Usually it is - certainly for
> simplicity you would want it
> that way (but when is the CCIE lab ever simple?)
>
> My understanding is that two-way CHAP authentication
> is basically two
> separate CHAP authentications happening at the same
> time. Thus the passwords
> do not have to be the same for both directions. That
> is also why you don't
> have to run CHAP in both directions - you can just
> have one-way
> authentication if you want it. I dug this up from my
> log of my old configs -
> it uses CHAP with different usernames and passwords
> on each end. I have
> since sold my routers, but Grant - perhaps you could
> try this config and let
> us know what you find out.
>
> Thanks - Rob.
>
> my configs:
> hostname r5
> !
> !
> username abc password 0 what
> username xyz password 0 mypassword
> !
> interface BRI0
> encapsulation ppp
> ppp authentication chap
> ppp chap hostname abc
> !
>
> hostname r7
> !
> !
> username abc password 0 mypassword
> username xyz password 0 what
> !
> interface BRI0
> encapsulation ppp
> ppp authentication chap
> ppp chap hostname xyz
> !
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf Of
> Grant Patten
> Sent: Tuesday, May 08, 2001 2:53 PM
> To: 'Christopher M. Heffner '; Grant Patten; 'Khalid
> Nafie '; 'BootCamp
> '
> Subject: RE: CHAP Authentication
>
>
> Thanks alot to everybody who helped me out on this
> one. It makes sense now.
>
> Thanks,
> Grant
>
> -----Original Message-----
> From: Christopher M. Heffner
> To: Grant W. Patten; Khalid Nafie; BootCamp
> Sent: 5/8/01 1:42 PM
> Subject: RE: CHAP Authentication
>
> Grant:
> The username password is required on both sides to
> prove that
> they both know the same password.
>
> When the first router sends a challenge to a remote
> router then the
> remote router will look up the username password
> based on the hostname
> sent by the first router. The remote router will
> then run the MD5 hash
> against the challenge using the password from the
> username command.
>
> At the same time, the first router that sent the
> challenge will
> be looking up the username password of the remote
> router and running the
> same challenge through the MD5 hash using the remote
> router's password
> hence they have to be the same password. When the
> first router computes
> the answer to the challenge, it will then compare
> the response from the
> remote router that comes back. Both answers must be
> the same hence both
> sides know the proper password and neither side ever
> sends the password
> across the link.
>
> And then the whole thing starts the other way since
> router-to-router is by default two-way auth.
>
> This is covered in the Building Cisco Remote Access
> Networks (BCRAN)
> course.
>
> HTH,
>
> Christopher M. Heffner
> Certified Cisco Systems Instructor
> CCSI, CCNA, CCDA, CCIE Candidate
> MCT, MCSE, MCNI, MCNE, CLI, CLP, ASE, CTT, A+
> cheffner@certified-labs.net
>
>
>
> -----Original Message-----
> From: Grant W. Patten [mailto:gpatten@lucent.com]
> Sent: Tuesday, May 08, 2001 2:59 PM
> To: Khalid Nafie; BootCamp
> Subject: RE: CHAP Authentication
>
> That works just fine. Then is it fair to say
> definitively that CHAP
> only
> works when both sides are using the same password
> and it isn't possible
> to
> configure it with different passwords? If so, then
> why does the
> configuration require username/password to be
> configured for each remote
> peer?
>
> Thanks,
> Grant
>
> At 08:41 PM 5/8/2001 +0300, Khalid Nafie wrote:
> >Hi Grant,
> > Try to use the same password for both
> usernames.
> >================================================
> >Yours,
> >Khaled Nafie
> >Network Engineer
> >Customer Services
> >MCSE,CCDP,CCNP VOCIE ACCESS
> >NCR Corporation, Kuwait
> >Mob.: +965-9872046
> >Tel : +965- 2412201, 2412203
> >Fax : +965-2413075
> >
> > > ----------
> > > From: Grant
> Patten[SMTP:gpatten@lucent.com]
> > > Reply To: Grant Patten
> > > Sent: Tuesday, May 08, 2001 8:12 PM
> > > To: 'ccielab@groupstudy.com'
> > > Subject: CHAP Authentication
> > >
> > > I'm struggling to get a good understanding of
> how exactly CHAP
> > > Authentication works. I think I'm missing
> something fundamental and
> > > hopefully one of you can help me out. Thanks.
> > >
> > > When I use the configuration below, I get the
> following debug
> messages:
> > >
> > > 1d15h: BR0:1 PPP: Treating connection as a
> callout
> > > 1d15h: BR0:1 PPP: Phase is AUTHENTICATING, by
> both
> > > 1d15h: BR0:1 CHAP: Using alternate hostname
> ISDN2
> > > 1d15h: BR0:1 CHAP: O CHALLENGE id 14 len 26 from
> "ISDN2"
> > > 1d15h: BR0:1 CHAP: I CHALLENGE id 14 len 26 from
> "ISDN1"
> > > 1d15h: BR0:1 CHAP: Using alternate hostname
> ISDN2
> > > .d15h: BR0:1 CHAP: O RESPONSE id 14 len 26 from
> "ISDN2"
> > > 1d15h: BR0:1 CHAP: I FAILURE id 14 len 25 msg is
> "MD/DES compare
> failed"
> > >
> > >
> > > Here is the relevant portions of the configs I'm
> using on R1 and R2.
> I
> > > changed the encrypted ppp chap password to what
> I actually set:
> > >
> > >
> > > R2
> > >
> > > hostname R2
>
=== message truncated ===
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:36 GMT-3