RE: PPP CHAP

From: hSzeto Jeff (jytszeto@xxxxxxxxxxx)
Date: Mon Apr 08 2002 - 05:32:48 GMT-3

• Next message: Engelhard M. Labiro: "Re: IRB - Transparent bridging problem!"
• Previous message: Mas Kato: "RE: OSPF IGRP EIGRP redistribute"
• Maybe in reply to: David Luu: "PPP CHAP"
• Next in thread: Narvaez, Pablo: "RE: PPP CHAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
If only r2 challenge r1 but not the reverse. Does r1 need to have the
username r2 password cisco command.

TIA

Jeff

[demime could not interpret encoding binary - treating as plain text]
hockito,

The 'ppp authentication' command tells the router to challenge the remote
party. In Kym's example, R2 will challenge R1, no matter who initiates the
call. In your example, using the 'callin' keyword on R1 would cause R1 to
challenge R2 only when R2 called R1. This will not meet the requirement of
only R2 challenging R1 and not vice-versa.

David, the reason you need the same password on both ends is both routers
need to generate the same hash for authentication to succeed. With CHAP, the
password is not sent over the link in any way, shape or form. Only the
hashed challenge is sent across the link. If the passwords were different
(or one is missing), the hash compare will fail.

As an aside, a "CCIE Urban Myth" that comes up from time-to-time is that
there is a way to configure CHAP on each end such that different passwords
can be used. Because of the way CHAP works, this simply cannot be true. If
you look closely at most of the proposed "solutions" you'll probably find
that they are simply configuring a different challenge, but ultimately you
will find that the passwords will be the same on both sides.

Regards,

Mas Kato
https://ecardfile.com/id/mkato

>RE: PPP CHAPDate: Sat, 6 Apr 2002 16:56:30 -0600
>"Narvaez, Pablo" <Pablo.Narvaez@getronics.com>Reply-To: "Narvaez, Pablo"
><Pablo.Narvaez@getronics.com>
>
>I do not think so, that'll give you an authentication error .... you may
>want to try on r1 ppp authentication chap callin
>
>cheers,
>
>hockito
>
>-----Original Message-----
>From: kym blair [mailto:kymblair@hotmail.com] Sent: Sabado, 06 de Abril de
>2002 04:39 p.m.
>To: wicked01@ix.netcom.com; ccielab@groupstudy.com Subject: Re: PPP CHAP
>
>
>To get R2 to authenticate R1 using CHAP, but not have R1
>authenticate R2 (1 way CHAP):
>
>hostname r1
>encaps ppp
>username r2 password cisco
>
>hostname r2
>encaps ppp
>ppp auth chap
>username r1 password cisco
>
>
>HTH, Kym
>
>>From: David Luu <wicked01@ix.netcom.com>
>>Reply-To: David Luu <wicked01@ix.netcom.com>
>>To: ccielab@groupstudy.com Subject: PPP CHAP
>>Date: Sat, 06 Apr 2002 13:22:04 -0800
>>
>>R1---ISDN---R2
>>
>>how would we get R2 to authenticate R1 using CHAP, but not have R1
>>authenticate R2 (1 way CHAP)?
>>
>>would the following config satisfy this (doing this off the top of my
>>head)...
>>ISDN configs ommitted
>>
>>hostname r1
>>encaps ppp
>>ppp auth chap
>>username r2 password cisco
>>
>>hostname r2
>>encaps ppp
>>ppp auth chap

• Next message: Engelhard M. Labiro: "Re: IRB - Transparent bridging problem!"
• Previous message: Mas Kato: "RE: OSPF IGRP EIGRP redistribute"
• Maybe in reply to: David Luu: "PPP CHAP"
• Next in thread: Narvaez, Pablo: "RE: PPP CHAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:59 GMT-3