From: Narvaez, Pablo (Pablo.Narvaez@xxxxxxxxxxxxx)
Date: Mon Apr 08 2002 - 13:31:37 GMT-3
Ying, I think this could meet the requirement in a certain way but I do not bel
ieve callback is the solution.
In order for callback to be succesful, both ends must authenticate one another
... my understanding of callback is about making more the secure the link. So,
when the callback server say r2 receives a call, it authenticates the calling p
arty say r1 and drops the call. Then, r2 places the call-back to r1 which is w
aiting for r2 to callback. Now, my understanding is that r1 will accept the res
ponse of the callback request ONLY from r2. For this, r1 will have to "see" and
make sure that the calling router is r2, in this process I think r1 has to aut
henticate r2 in a certain way.
If using "dialin" you will not challenge the calling party, but the calling hos
t will do try to authenticate you. For this to work, you still have to configur
e the remote user/passwd locally on both ends to compare the chap hash.
Am I right? I could be wrong or missing something here ...
hockito
From: ying chang [mailto:ying_c@hotmail.com]
Sent: Lunes, 08 de Abril de 2002 11:17 a.m.
To: Narvaez, Pablo; loomis_towcar@speedracer.com
Cc: kymblair@hotmail.com; ccielab@groupstudy.com; wicked01@ix.netcom.com
Subject: RE: PPP CHAP
Hi hockito,
How about use the callback keyword instead of callin keyword? Below is my
own notes that I did a while back, will this meet the requirement?
Thanks,
Chang
One way authentication with ppp auth chap callback on R5 , ppp auth chap on
R6, R5 call R6:
R6 challenge and authenticate R5
(Debug ppp authentication from R5)
04:41:39: BR0:1 PPP: Treating connection as a callout
04:41:39: BR0:1 CHAP: I CHALLENGE id 27 len 23 from "r6"
04:41:39: BR0:1 CHAP: O RESPONSE id 27 len 23 from "r5"
04:41:39: BR0:1 CHAP: I SUCCESS id 27 len 4
(Debug ppp authentication from R6)
04:47:21: BR0:1 PPP: Treating connection as a callin
04:47:21: BR0:1 CHAP: O CHALLENGE id 28 len 23 from "r6"
04:47:21: BR0:1 CHAP: I RESPONSE id 28 len 23 from "r5"
04:47:21: BR0:1 CHAP: O SUCCESS id 28 len 4
>From: "Narvaez, Pablo" <Pablo.Narvaez@getronics.com>
>Reply-To: "Narvaez, Pablo" <Pablo.Narvaez@getronics.com>
>To: "Mas Kato" <loomis_towcar@speedracer.com>
>CC: <kymblair@hotmail.com>, <ccielab@groupstudy.com>,
><wicked01@ix.netcom.com>
>Subject: RE: PPP CHAP
>Date: Mon, 8 Apr 2002 10:16:25 -0500
>
>ummm Mas Kato, I have to disagree with you. when saying:
>
>"using the 'callin' keyword on R1 would cause R1 to challenge R2 only when
>R2 called R1. This will not meet the requirement of only R2 challenging R1
>and not vice-versa"
>
>I do not think it's true .... If you configure something like:
>
>
>R1
>ppp authentication chap callin
>
>R2
>ppp authentication chap
>
>You will make R1 NOT to challenge r2 at all; r2 will be the the only
>challenger. To fully meet this requirement, you could "force" r1 to
>initiate the call, this way r1 will start ppp authen against r2 but will
>not challenge r2, whereas r2 will do challenge r1.
>
>
>Am I right?
>
>
>-hockito-
>
>
>
>-----Original Message-----
>From: Mas Kato [mailto:loomis_towcar@speedracer.com]
>Sent: Lunes, 08 de Abril de 2002 02:38 a.m.
>To: Narvaez, Pablo
>Cc: kymblair@hotmail.com; ccielab@groupstudy.com; wicked01@ix.netcom.com
>Subject: RE: PPP CHAP
>
>
>hockito,
>
>The 'ppp authentication' command tells the router to challenge the remote
>party. In Kym's example, R2 will challenge R1, no matter who initiates the
>call. In your example, using the 'callin' keyword on R1 would cause R1 to
>challenge R2 only when R2 called R1. This will not meet the requirement of
>only R2 challenging R1 and not vice-versa.
>
>David, the reason you need the same password on both ends is both routers
>need to generate the same hash for authentication to succeed. With CHAP,
>the password is not sent over the link in any way, shape or form. Only the
>hashed challenge is sent across the link. If the passwords were different
>(or one is missing), the hash compare will fail.
>
>As an aside, a "CCIE Urban Myth" that comes up from time-to-time is that
>there is a way to configure CHAP on each end such that different passwords
>can be used. Because of the way CHAP works, this simply cannot be true. If
>you look closely at most of the proposed "solutions" you'll probably find
>that they are simply configuring a different challenge, but ultimately you
>will find that the passwords will be the same on both sides.
>
>Regards,
>
>Mas Kato
>https://ecardfile.com/id/mkato
>
> > RE: PPP CHAPDate: Sat, 6 Apr 2002 16:56:30 -0600
> > "Narvaez, Pablo" <Pablo.Narvaez@getronics.com>Reply-To: "Narvaez, Pablo"
><Pablo.Narvaez@getronics.com>
> >
> >I do not think so, that'll give you an authentication error .... you may
>want to try on r1 ppp authentication chap callin
> >
> >cheers,
> >
> >hockito
> >
> >-----Original Message-----
> >From: kym blair [mailto:kymblair@hotmail.com]
> >Sent: Sabado, 06 de Abril de 2002 04:39 p.m.
> >To: wicked01@ix.netcom.com; ccielab@groupstudy.com
> >Subject: Re: PPP CHAP
> >
> >
> >To get R2 to authenticate R1 using CHAP, but not have R1
> >authenticate R2 (1 way CHAP):
> >
> >hostname r1
> >encaps ppp
> >username r2 password cisco
> >
> >hostname r2
> >encaps ppp
> >ppp auth chap
> >username r1 password cisco
> >
> >
> >HTH, Kym
> >
> >>From: David Luu <wicked01@ix.netcom.com>
> >>Reply-To: David Luu <wicked01@ix.netcom.com>
> >>To: ccielab@groupstudy.com
> >>Subject: PPP CHAP
> >>Date: Sat, 06 Apr 2002 13:22:04 -0800
> >>
> >>R1---ISDN---R2
> >>
> >>how would we get R2 to authenticate R1 using CHAP, but not have R1
> >>authenticate R2 (1 way CHAP)?
> >>
> >>would the following config satisfy this (doing this off the top of my
> >>head)...
> >>ISDN configs ommitted
> >>
> >>hostname r1
> >>encaps ppp
> >>ppp auth chap
> >>username r2 password cisco
> >>
> >>hostname r2
> >>encaps ppp
> >>ppp auth chap
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:59 GMT-3