RE: PPP CHAP

From: Mas Kato (loomis_towcar@xxxxxxxxxxxxxx)
Date: Mon Apr 08 2002 - 04:38:13 GMT-3

• Next message: Peter Dostal: "RE: BGP MED - again (Solved with clean copy)"
• Previous message: Yadav, Arvind K (CAP, GECIS): "RE: achieving 16Mbps transfer rate"
• Maybe in reply to: David Luu: "PPP CHAP"
• Next in thread: hSzeto Jeff: "RE: PPP CHAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
[demime could not interpret encoding binary - treating as plain text]
hockito,

The 'ppp authentication' command tells the router to challenge the remote party
. In Kym's example, R2 will challenge R1, no matter who initiates the call. In
your example, using the 'callin' keyword on R1 would cause R1 to challenge R2 o
nly when R2 called R1. This will not meet the requirement of only R2 challengin
g R1 and not vice-versa.

David, the reason you need the same password on both ends is both routers need
to generate the same hash for authentication to succeed. With CHAP, the passwor
d is not sent over the link in any way, shape or form. Only the hashed challeng
e is sent across the link. If the passwords were different (or one is missing),
 the hash compare will fail.

As an aside, a "CCIE Urban Myth" that comes up from time-to-time is that there
is a way to configure CHAP on each end such that different passwords can be use
d. Because of the way CHAP works, this simply cannot be true. If you look close
ly at most of the proposed "solutions" you'll probably find that they are simpl
y configuring a different challenge, but ultimately you will find that the pass
words will be the same on both sides.

Regards,

Mas Kato
https://ecardfile.com/id/mkato

> RE: PPP CHAPDate: Sat, 6 Apr 2002 16:56:30 -0600
> "Narvaez, Pablo" <Pablo.Narvaez@getronics.com>Reply-To: "Narvaez, Pablo" <Pab
lo.Narvaez@getronics.com>
>
>I do not think so, that'll give you an authentication error .... you may want
to try on r1 ppp authentication chap callin
>
>cheers,
>
>hockito
>
>-----Original Message-----
>From: kym blair [mailto:kymblair@hotmail.com]
>Sent: Sabado, 06 de Abril de 2002 04:39 p.m.
>To: wicked01@ix.netcom.com; ccielab@groupstudy.com
>Subject: Re: PPP CHAP
>
>
>To get R2 to authenticate R1 using CHAP, but not have R1
>authenticate R2 (1 way CHAP):
>
>hostname r1
>encaps ppp
>username r2 password cisco
>
>hostname r2
>encaps ppp
>ppp auth chap
>username r1 password cisco
>
>
>HTH, Kym
>
>>From: David Luu <wicked01@ix.netcom.com>
>>Reply-To: David Luu <wicked01@ix.netcom.com>
>>To: ccielab@groupstudy.com
>>Subject: PPP CHAP
>>Date: Sat, 06 Apr 2002 13:22:04 -0800
>>
>>R1---ISDN---R2
>>
>>how would we get R2 to authenticate R1 using CHAP, but not have R1
>>authenticate R2 (1 way CHAP)?
>>
>>would the following config satisfy this (doing this off the top of my
>>head)...
>>ISDN configs ommitted
>>
>>hostname r1
>>encaps ppp
>>ppp auth chap
>>username r2 password cisco
>>
>>hostname r2
>>encaps ppp
>>ppp auth chap

• Next message: Peter Dostal: "RE: BGP MED - again (Solved with clean copy)"
• Previous message: Yadav, Arvind K (CAP, GECIS): "RE: achieving 16Mbps transfer rate"
• Maybe in reply to: David Luu: "PPP CHAP"
• Next in thread: hSzeto Jeff: "RE: PPP CHAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:59 GMT-3