From: Andrew Lennon (andrew.lennon@xxxxxxxxxxxxx)
Date: Tue May 08 2001 - 19:21:48 GMT-3
All,
You can use differing passwords for chap providing that you name them under
the interface. If you use "ppp chap hostname" and "ppp chap 0 (0 meaning
cleartext) password" under the dialer interface. The example below is what I
use for connecting to an ISP. It incudes both chap and pap (for different
ISP's) but the CALLIN keyword is included to show the relevance of one way
connectivity.
On the ISP end there will be a tacacs+ or a radius box authenticating the
PPP that I send. If another router were authenticating then there would be
a line in the far end router with my username and password authenticating
locally.
There are many configs on the Cisco website in the the dial cookbook showing
various scenarios for ISDN.
Regs
Andy
interface BRI0
description connected to Internet
bandwidth 64
no ip address
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer rotary-group 1
isdn switch-type basic-net3
crypto map vpnmap
!
interface Dialer1
description connected to Internet
bandwidth 64
ip address negotiated
ip nat outside
encapsulation ppp
no ip split-horizon
load-interval 30
dialer in-band
dialer idle-timeout 2147483
dialer string 08440416672
dialer hold-queue 10
dialer-group 1
ppp authentication pap callin
ppp chap hostname andylennon@isp.com
ppp chap password 7 1300000000000000000000
ppp pap sent-username lennon password 7 686812340000000000000
crypto map vpnmap
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
louie kouncar
Sent: 08 May 2001 21:49
To: 'Johnny Dedon'; 'Rob Webber'; 'Grant Patten'; 'Christopher M.
Heffner '; 'Khalid Nafie '; 'BootCamp '
Subject: RE: CHAP Authentication
I think that the password is "what" and not "mypassword", and it seems that
both routers are using the same password, as far as I know, you need the
same password on both sides to be the same for chap to work and you can't
have different passwords.
Thanks
Louie J. Kouncar
TCO3 Senior Data Center Engineer
UUNET
W-703-343-6645
C-703-304-2460
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Johnny Dedon
Sent: Tuesday, May 08, 2001 4:16 PM
To: Rob Webber; Grant Patten; 'Christopher M. Heffner '; 'Khalid Nafie
'; 'BootCamp '
Subject: Re: CHAP Authentication
Rob
Your configs appear to be using the same password "mypassword" Note the
username on each end that corresponds to the chap hostname from the remote
end.
They both use mypassword.
Johnny Dedon
Senior Staff Consultant
Exodus Professional Services
johnny.dedon@exodus.net
www.exodus.net
----- Original Message -----
From: "Rob Webber" <rwebber@callisma.com>
To: "Grant Patten" <gpatten@lucent.com>; "'Christopher M. Heffner '"
<cheffner@certified-labs.net>; "'Khalid Nafie '" <knafie@ncr.com.kw>;
"'BootCamp '" <ccielab@groupstudy.com>
Sent: Tuesday, May 08, 2001 2:30 PM
Subject: RE: CHAP Authentication
> Actually I don't think I agree that the password needs to be the same on
> both routers. Usually it is - certainly for simplicity you would want it
> that way (but when is the CCIE lab ever simple?)
>
> My understanding is that two-way CHAP authentication is basically two
> separate CHAP authentications happening at the same time. Thus the
passwords
> do not have to be the same for both directions. That is also why you don't
> have to run CHAP in both directions - you can just have one-way
> authentication if you want it. I dug this up from my log of my old
configs -
> it uses CHAP with different usernames and passwords on each end. I have
> since sold my routers, but Grant - perhaps you could try this config and
let
> us know what you find out.
>
> Thanks - Rob.
>
> my configs:
> hostname r5
> !
> !
> username abc password 0 what
> username xyz password 0 mypassword
> !
> interface BRI0
> encapsulation ppp
> ppp authentication chap
> ppp chap hostname abc
> !
>
> hostname r7
> !
> !
> username abc password 0 mypassword
> username xyz password 0 what
> !
> interface BRI0
> encapsulation ppp
> ppp authentication chap
> ppp chap hostname xyz
> !
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Grant Patten
> Sent: Tuesday, May 08, 2001 2:53 PM
> To: 'Christopher M. Heffner '; Grant Patten; 'Khalid Nafie '; 'BootCamp
> '
> Subject: RE: CHAP Authentication
>
>
> Thanks alot to everybody who helped me out on this one. It makes sense
now.
>
> Thanks,
> Grant
>
> -----Original Message-----
> From: Christopher M. Heffner
> To: Grant W. Patten; Khalid Nafie; BootCamp
> Sent: 5/8/01 1:42 PM
> Subject: RE: CHAP Authentication
>
> Grant:
> The username password is required on both sides to prove that
> they both know the same password.
>
> When the first router sends a challenge to a remote router then the
> remote router will look up the username password based on the hostname
> sent by the first router. The remote router will then run the MD5 hash
> against the challenge using the password from the username command.
>
> At the same time, the first router that sent the challenge will
> be looking up the username password of the remote router and running the
> same challenge through the MD5 hash using the remote router's password
> hence they have to be the same password. When the first router computes
> the answer to the challenge, it will then compare the response from the
> remote router that comes back. Both answers must be the same hence both
> sides know the proper password and neither side ever sends the password
> across the link.
>
> And then the whole thing starts the other way since
> router-to-router is by default two-way auth.
>
> This is covered in the Building Cisco Remote Access Networks (BCRAN)
> course.
>
> HTH,
>
> Christopher M. Heffner
> Certified Cisco Systems Instructor
> CCSI, CCNA, CCDA, CCIE Candidate
> MCT, MCSE, MCNI, MCNE, CLI, CLP, ASE, CTT, A+
> cheffner@certified-labs.net
>
>
>
> -----Original Message-----
> From: Grant W. Patten [mailto:gpatten@lucent.com]
> Sent: Tuesday, May 08, 2001 2:59 PM
> To: Khalid Nafie; BootCamp
> Subject: RE: CHAP Authentication
>
> That works just fine. Then is it fair to say definitively that CHAP
> only
> works when both sides are using the same password and it isn't possible
> to
> configure it with different passwords? If so, then why does the
> configuration require username/password to be configured for each remote
> peer?
>
> Thanks,
> Grant
>
> At 08:41 PM 5/8/2001 +0300, Khalid Nafie wrote:
> >Hi Grant,
> > Try to use the same password for both usernames.
> >================================================
> >Yours,
> >Khaled Nafie
> >Network Engineer
> >Customer Services
> >MCSE,CCDP,CCNP VOCIE ACCESS
> >NCR Corporation, Kuwait
> >Mob.: +965-9872046
> >Tel : +965- 2412201, 2412203
> >Fax : +965-2413075
> >
> > > ----------
> > > From: Grant Patten[SMTP:gpatten@lucent.com]
> > > Reply To: Grant Patten
> > > Sent: Tuesday, May 08, 2001 8:12 PM
> > > To: 'ccielab@groupstudy.com'
> > > Subject: CHAP Authentication
> > >
> > > I'm struggling to get a good understanding of how exactly CHAP
> > > Authentication works. I think I'm missing something fundamental and
> > > hopefully one of you can help me out. Thanks.
> > >
> > > When I use the configuration below, I get the following debug
> messages:
> > >
> > > 1d15h: BR0:1 PPP: Treating connection as a callout
> > > 1d15h: BR0:1 PPP: Phase is AUTHENTICATING, by both
> > > 1d15h: BR0:1 CHAP: Using alternate hostname ISDN2
> > > 1d15h: BR0:1 CHAP: O CHALLENGE id 14 len 26 from "ISDN2"
> > > 1d15h: BR0:1 CHAP: I CHALLENGE id 14 len 26 from "ISDN1"
> > > 1d15h: BR0:1 CHAP: Using alternate hostname ISDN2
> > > .d15h: BR0:1 CHAP: O RESPONSE id 14 len 26 from "ISDN2"
> > > 1d15h: BR0:1 CHAP: I FAILURE id 14 len 25 msg is "MD/DES compare
> failed"
> > >
> > >
> > > Here is the relevant portions of the configs I'm using on R1 and R2.
> I
> > > changed the encrypted ppp chap password to what I actually set:
> > >
> > >
> > > R2
> > >
> > > hostname R2
> > > !
> > > !
> > > username ISDN1 password 0 CCIE
> > > !
> > > !
> > > interface BRI0
> > > ip address 147.10.1.2 255.255.255.0
> > > no ip directed-broadcast
> > > encapsulation ppp
> > > dialer map ip 147.10.1.1 name ISDN1 broadcast 8358661
> > > dialer-group 1
> > > isdn switch-type basic-ni
> > > isdn spid1 0835866201
> > > isdn spid2 0835866401
> > > ppp authentication chap
> > > ppp chap hostname ISDN2
> > > ppp chap password cisco
> > >
> > > R1
> > > hostname R1
> > > !
> > > !
> > > username ISDN2 password 0 cisco
> > > !
> > > interface BRI0
> > > ip address 147.10.1.1 255.255.255.0
> > > no ip directed-broadcast
> > > encapsulation ppp
> > > dialer map ip 147.10.1.2 name ISDN2 broadcast
> > > dialer-group 1
> > > isdn switch-type basic-ni
> > > isdn spid1 0835866101
> > > isdn spid2 0835866301
> > > ppp authentication chap
> > > ppp chap hostname ISDN1
> > > ppp chap password CCIE
> > > **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:36 GMT-3