From: ying chang (ying_c@xxxxxxxxxxx)
Date: Mon Apr 08 2002 - 14:26:04 GMT-3
Hi hockito,
Not sure why I cannot find the reference page now, but if you type in "ppp
authentication chap ?" you should see this "callback" option, I'm not sure
when this option was first introduced, but 12.1 should have it.
I know it's confusion, but the "callback" keyword in "ppp authentication
chap callback" is not the regular call back as you described (dialer
callback-secure, ppp callback request, etc.)
"ppp authentication chap callback" will not make the called party (server)
to drop the line and call the calling party (client) back. It is kind of
like callin, but simply place the authentication at the server, instead of
the client regarless who place the call. The client will never challenge
the server, and the server will always challenge the client.
So will this meet the requirement? The trouble I have with "callin" keyword
is if the server should call the client, the client will challenge the
server, which I think not fitting too well with the requirement. If we don't
allow the server to call, then I don't have any problems with the "callin".
I hope I don't confuse you more...
Thanks,
Chang
>From: "Narvaez, Pablo" <Pablo.Narvaez@getronics.com>
>Reply-To: "Narvaez, Pablo" <Pablo.Narvaez@getronics.com>
>To: "ying chang" <ying_c@hotmail.com>, <loomis_towcar@speedracer.com>
>CC: <kymblair@hotmail.com>, <ccielab@groupstudy.com>,
><wicked01@ix.netcom.com>
>Subject: RE: PPP CHAP
>Date: Mon, 8 Apr 2002 11:31:37 -0500
>
>Ying, I think this could meet the requirement in a certain way but I do not
>believe callback is the solution.
>
>In order for callback to be succesful, both ends must authenticate one
>another ... my understanding of callback is about making more the secure
>the link. So, when the callback server say r2 receives a call, it
>authenticates the calling party say r1 and drops the call. Then, r2 places
>the call-back to r1 which is waiting for r2 to callback. Now, my
>understanding is that r1 will accept the response of the callback request
>ONLY from r2. For this, r1 will have to "see" and make sure that the
>calling router is r2, in this process I think r1 has to authenticate r2 in
>a certain way.
>
>If using "dialin" you will not challenge the calling party, but the calling
>host will do try to authenticate you. For this to work, you still have to
>configure the remote user/passwd locally on both ends to compare the chap
>hash.
>
>Am I right? I could be wrong or missing something here ...
>
>hockito
>
>
>
>
>
>
>From: ying chang [mailto:ying_c@hotmail.com]
>Sent: Lunes, 08 de Abril de 2002 11:17 a.m.
>To: Narvaez, Pablo; loomis_towcar@speedracer.com
>Cc: kymblair@hotmail.com; ccielab@groupstudy.com; wicked01@ix.netcom.com
>Subject: RE: PPP CHAP
>
>
>Hi hockito,
>
>How about use the callback keyword instead of callin keyword? Below is my
>own notes that I did a while back, will this meet the requirement?
>
>Thanks,
>Chang
>
>One way authentication with ppp auth chap callback on R5 , ppp auth chap on
>R6, R5 call R6:
>
>R6 challenge and authenticate R5
>
>(Debug ppp authentication from R5)
>04:41:39: BR0:1 PPP: Treating connection as a callout
>04:41:39: BR0:1 CHAP: I CHALLENGE id 27 len 23 from "r6"
>04:41:39: BR0:1 CHAP: O RESPONSE id 27 len 23 from "r5"
>04:41:39: BR0:1 CHAP: I SUCCESS id 27 len 4
>
>(Debug ppp authentication from R6)
>
>04:47:21: BR0:1 PPP: Treating connection as a callin
>04:47:21: BR0:1 CHAP: O CHALLENGE id 28 len 23 from "r6"
>04:47:21: BR0:1 CHAP: I RESPONSE id 28 len 23 from "r5"
>04:47:21: BR0:1 CHAP: O SUCCESS id 28 len 4
>
>
>
> >From: "Narvaez, Pablo" <Pablo.Narvaez@getronics.com>
> >Reply-To: "Narvaez, Pablo" <Pablo.Narvaez@getronics.com>
> >To: "Mas Kato" <loomis_towcar@speedracer.com>
> >CC: <kymblair@hotmail.com>, <ccielab@groupstudy.com>,
> ><wicked01@ix.netcom.com>
> >Subject: RE: PPP CHAP
> >Date: Mon, 8 Apr 2002 10:16:25 -0500
> >
> >ummm Mas Kato, I have to disagree with you. when saying:
> >
> >"using the 'callin' keyword on R1 would cause R1 to challenge R2 only
>when
> >R2 called R1. This will not meet the requirement of only R2 challenging
>R1
> >and not vice-versa"
> >
> >I do not think it's true .... If you configure something like:
> >
> >
> >R1
> >ppp authentication chap callin
> >
> >R2
> >ppp authentication chap
> >
> >You will make R1 NOT to challenge r2 at all; r2 will be the the only
> >challenger. To fully meet this requirement, you could "force" r1 to
> >initiate the call, this way r1 will start ppp authen against r2 but will
> >not challenge r2, whereas r2 will do challenge r1.
> >
> >
> >Am I right?
> >
> >
> >-hockito-
> >
> >
> >
> >-----Original Message-----
> >From: Mas Kato [mailto:loomis_towcar@speedracer.com]
> >Sent: Lunes, 08 de Abril de 2002 02:38 a.m.
> >To: Narvaez, Pablo
> >Cc: kymblair@hotmail.com; ccielab@groupstudy.com; wicked01@ix.netcom.com
> >Subject: RE: PPP CHAP
> >
> >
> >hockito,
> >
> >The 'ppp authentication' command tells the router to challenge the remote
> >party. In Kym's example, R2 will challenge R1, no matter who initiates
>the
> >call. In your example, using the 'callin' keyword on R1 would cause R1 to
> >challenge R2 only when R2 called R1. This will not meet the requirement
>of
> >only R2 challenging R1 and not vice-versa.
> >
> >David, the reason you need the same password on both ends is both routers
> >need to generate the same hash for authentication to succeed. With CHAP,
> >the password is not sent over the link in any way, shape or form. Only
>the
> >hashed challenge is sent across the link. If the passwords were different
> >(or one is missing), the hash compare will fail.
> >
> >As an aside, a "CCIE Urban Myth" that comes up from time-to-time is that
> >there is a way to configure CHAP on each end such that different
>passwords
> >can be used. Because of the way CHAP works, this simply cannot be true.
>If
> >you look closely at most of the proposed "solutions" you'll probably find
> >that they are simply configuring a different challenge, but ultimately
>you
> >will find that the passwords will be the same on both sides.
> >
> >Regards,
> >
> >Mas Kato
> >https://ecardfile.com/id/mkato
> >
> > > RE: PPP CHAPDate: Sat, 6 Apr 2002 16:56:30 -0600
> > > "Narvaez, Pablo" <Pablo.Narvaez@getronics.com>Reply-To: "Narvaez,
>Pablo"
> ><Pablo.Narvaez@getronics.com>
> > >
> > >I do not think so, that'll give you an authentication error .... you
>may
> >want to try on r1 ppp authentication chap callin
> > >
> > >cheers,
> > >
> > >hockito
> > >
> > >-----Original Message-----
> > >From: kym blair [mailto:kymblair@hotmail.com]
> > >Sent: Sabado, 06 de Abril de 2002 04:39 p.m.
> > >To: wicked01@ix.netcom.com; ccielab@groupstudy.com
> > >Subject: Re: PPP CHAP
> > >
> > >
> > >To get R2 to authenticate R1 using CHAP, but not have R1
> > >authenticate R2 (1 way CHAP):
> > >
> > >hostname r1
> > >encaps ppp
> > >username r2 password cisco
> > >
> > >hostname r2
> > >encaps ppp
> > >ppp auth chap
> > >username r1 password cisco
> > >
> > >
> > >HTH, Kym
> > >
> > >>From: David Luu <wicked01@ix.netcom.com>
> > >>Reply-To: David Luu <wicked01@ix.netcom.com>
> > >>To: ccielab@groupstudy.com
> > >>Subject: PPP CHAP
> > >>Date: Sat, 06 Apr 2002 13:22:04 -0800
> > >>
> > >>R1---ISDN---R2
> > >>
> > >>how would we get R2 to authenticate R1 using CHAP, but not have R1
> > >>authenticate R2 (1 way CHAP)?
> > >>
> > >>would the following config satisfy this (doing this off the top of my
> > >>head)...
> > >>ISDN configs ommitted
> > >>
> > >>hostname r1
> > >>encaps ppp
> > >>ppp auth chap
> > >>username r2 password cisco
> > >>
> > >>hostname r2
> > >>encaps ppp
> > >>ppp auth chap
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:59 GMT-3