From: Narvaez, Pablo (Pablo.Narvaez@xxxxxxxxxxxxx)
Date: Mon Apr 08 2002 - 12:16:25 GMT-3
ummm Mas Kato, I have to disagree with you. when saying:
"using the 'callin' keyword on R1 would cause R1 to challenge R2 only when R2 c
alled R1. This will not meet the requirement of only R2 challenging R1 and not
vice-versa"
I do not think it's true .... If you configure something like:
R1
ppp authentication chap callin
R2
ppp authentication chap
You will make R1 NOT to challenge r2 at all; r2 will be the the only challenger
. To fully meet this requirement, you could "force" r1 to initiate the call, th
is way r1 will start ppp authen against r2 but will not challenge r2, whereas r
2 will do challenge r1.
Am I right?
-hockito-
-----Original Message-----
From: Mas Kato [mailto:loomis_towcar@speedracer.com]
Sent: Lunes, 08 de Abril de 2002 02:38 a.m.
To: Narvaez, Pablo
Cc: kymblair@hotmail.com; ccielab@groupstudy.com; wicked01@ix.netcom.com
Subject: RE: PPP CHAP
hockito,
The 'ppp authentication' command tells the router to challenge the remote party
. In Kym's example, R2 will challenge R1, no matter who initiates the call. In
your example, using the 'callin' keyword on R1 would cause R1 to challenge R2 o
nly when R2 called R1. This will not meet the requirement of only R2 challengin
g R1 and not vice-versa.
David, the reason you need the same password on both ends is both routers need
to generate the same hash for authentication to succeed. With CHAP, the passwor
d is not sent over the link in any way, shape or form. Only the hashed challeng
e is sent across the link. If the passwords were different (or one is missing),
the hash compare will fail.
As an aside, a "CCIE Urban Myth" that comes up from time-to-time is that there
is a way to configure CHAP on each end such that different passwords can be use
d. Because of the way CHAP works, this simply cannot be true. If you look close
ly at most of the proposed "solutions" you'll probably find that they are simpl
y configuring a different challenge, but ultimately you will find that the pass
words will be the same on both sides.
Regards,
Mas Kato
https://ecardfile.com/id/mkato
> RE: PPP CHAPDate: Sat, 6 Apr 2002 16:56:30 -0600
> "Narvaez, Pablo" <Pablo.Narvaez@getronics.com>Reply-To: "Narvaez, Pablo" <Pab
lo.Narvaez@getronics.com>
>
>I do not think so, that'll give you an authentication error .... you may want
to try on r1 ppp authentication chap callin
>
>cheers,
>
>hockito
>
>-----Original Message-----
>From: kym blair [mailto:kymblair@hotmail.com]
>Sent: Sabado, 06 de Abril de 2002 04:39 p.m.
>To: wicked01@ix.netcom.com; ccielab@groupstudy.com
>Subject: Re: PPP CHAP
>
>
>To get R2 to authenticate R1 using CHAP, but not have R1
>authenticate R2 (1 way CHAP):
>
>hostname r1
>encaps ppp
>username r2 password cisco
>
>hostname r2
>encaps ppp
>ppp auth chap
>username r1 password cisco
>
>
>HTH, Kym
>
>>From: David Luu <wicked01@ix.netcom.com>
>>Reply-To: David Luu <wicked01@ix.netcom.com>
>>To: ccielab@groupstudy.com
>>Subject: PPP CHAP
>>Date: Sat, 06 Apr 2002 13:22:04 -0800
>>
>>R1---ISDN---R2
>>
>>how would we get R2 to authenticate R1 using CHAP, but not have R1
>>authenticate R2 (1 way CHAP)?
>>
>>would the following config satisfy this (doing this off the top of my
>>head)...
>>ISDN configs ommitted
>>
>>hostname r1
>>encaps ppp
>>ppp auth chap
>>username r2 password cisco
>>
>>hostname r2
>>encaps ppp
>>ppp auth chap
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:59 GMT-3