RE: PPP CHAP

From: Larry Whitfill (whitfill@xxxxxxx)
Date: Mon Apr 08 2002 - 18:02:10 GMT-3

• Next message: Dennis Laganiere: "Identify 1750 models"
• Previous message: tom cheung: "Re: Authentications options in IKE"
• Maybe in reply to: David Luu: "PPP CHAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
IYou don't even have to enable authentication on the host you don't want
challenging. Even without "ppp authentication chap" you can specify the
"chap-sent" user name and password. In this setup, the non-challenging
router won't challenge anyone, which satisfies the requirement.

Try this out. It works.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
ying chang
Sent: Monday, April 08, 2002 9:17 AM
To: Pablo.Narvaez@getronics.com; loomis_towcar@speedracer.com
Cc: kymblair@hotmail.com; ccielab@groupstudy.com; wicked01@ix.netcom.com
Subject: RE: PPP CHAP

Hi hockito,

How about use the callback keyword instead of callin keyword? Below is my
own notes that I did a while back, will this meet the requirement?

Thanks,
Chang

One way authentication with ppp auth chap callback on R5 , ppp auth chap on
R6, R5 call R6:

R6 challenge and authenticate R5

(Debug ppp authentication from R5)
04:41:39: BR0:1 PPP: Treating connection as a callout
04:41:39: BR0:1 CHAP: I CHALLENGE id 27 len 23 from "r6"
04:41:39: BR0:1 CHAP: O RESPONSE id 27 len 23 from "r5"
04:41:39: BR0:1 CHAP: I SUCCESS id 27 len 4

(Debug ppp authentication from R6)

04:47:21: BR0:1 PPP: Treating connection as a callin
04:47:21: BR0:1 CHAP: O CHALLENGE id 28 len 23 from "r6"
04:47:21: BR0:1 CHAP: I RESPONSE id 28 len 23 from "r5"
04:47:21: BR0:1 CHAP: O SUCCESS id 28 len 4

>From: "Narvaez, Pablo" <Pablo.Narvaez@getronics.com>
>Reply-To: "Narvaez, Pablo" <Pablo.Narvaez@getronics.com>
>To: "Mas Kato" <loomis_towcar@speedracer.com>
>CC: <kymblair@hotmail.com>, <ccielab@groupstudy.com>,
><wicked01@ix.netcom.com>
>Subject: RE: PPP CHAP
>Date: Mon, 8 Apr 2002 10:16:25 -0500
>
>ummm Mas Kato, I have to disagree with you. when saying:
>
>"using the 'callin' keyword on R1 would cause R1 to challenge R2 only when
>R2 called R1. This will not meet the requirement of only R2 challenging R1
>and not vice-versa"
>
>I do not think it's true .... If you configure something like:
>
>
>R1
>ppp authentication chap callin
>
>R2
>ppp authentication chap
>
>You will make R1 NOT to challenge r2 at all; r2 will be the the only
>challenger. To fully meet this requirement, you could "force" r1 to
>initiate the call, this way r1 will start ppp authen against r2 but will
>not challenge r2, whereas r2 will do challenge r1.
>
>
>Am I right?
>
>
>-hockito-
>
>
>
>-----Original Message-----
>From: Mas Kato [mailto:loomis_towcar@speedracer.com]
>Sent: Lunes, 08 de Abril de 2002 02:38 a.m.
>To: Narvaez, Pablo
>Cc: kymblair@hotmail.com; ccielab@groupstudy.com; wicked01@ix.netcom.com
>Subject: RE: PPP CHAP
>
>
>hockito,
>
>The 'ppp authentication' command tells the router to challenge the remote
>party. In Kym's example, R2 will challenge R1, no matter who initiates the
>call. In your example, using the 'callin' keyword on R1 would cause R1 to
>challenge R2 only when R2 called R1. This will not meet the requirement of
>only R2 challenging R1 and not vice-versa.
>
>David, the reason you need the same password on both ends is both routers
>need to generate the same hash for authentication to succeed. With CHAP,
>the password is not sent over the link in any way, shape or form. Only the
>hashed challenge is sent across the link. If the passwords were different
>(or one is missing), the hash compare will fail.
>
>As an aside, a "CCIE Urban Myth" that comes up from time-to-time is that
>there is a way to configure CHAP on each end such that different passwords
>can be used. Because of the way CHAP works, this simply cannot be true. If
>you look closely at most of the proposed "solutions" you'll probably find
>that they are simply configuring a different challenge, but ultimately you
>will find that the passwords will be the same on both sides.
>
>Regards,
>
>Mas Kato
>https://ecardfile.com/id/mkato
>
> > RE: PPP CHAPDate: Sat, 6 Apr 2002 16:56:30 -0600
> > "Narvaez, Pablo" <Pablo.Narvaez@getronics.com>Reply-To: "Narvaez, Pablo"
><Pablo.Narvaez@getronics.com>
> >
> >I do not think so, that'll give you an authentication error .... you may
>want to try on r1 ppp authentication chap callin
> >
> >cheers,
> >
> >hockito
> >
> >-----Original Message-----
> >From: kym blair [mailto:kymblair@hotmail.com]
> >Sent: Sabado, 06 de Abril de 2002 04:39 p.m.
> >To: wicked01@ix.netcom.com; ccielab@groupstudy.com
> >Subject: Re: PPP CHAP
> >
> >
> >To get R2 to authenticate R1 using CHAP, but not have R1
> >authenticate R2 (1 way CHAP):
> >
> >hostname r1
> >encaps ppp
> >username r2 password cisco
> >
> >hostname r2
> >encaps ppp
> >ppp auth chap
> >username r1 password cisco
> >
> >
> >HTH, Kym
> >
> >>From: David Luu <wicked01@ix.netcom.com>
> >>Reply-To: David Luu <wicked01@ix.netcom.com>
> >>To: ccielab@groupstudy.com
> >>Subject: PPP CHAP
> >>Date: Sat, 06 Apr 2002 13:22:04 -0800
> >>
> >>R1---ISDN---R2
> >>
> >>how would we get R2 to authenticate R1 using CHAP, but not have R1
> >>authenticate R2 (1 way CHAP)?
> >>
> >>would the following config satisfy this (doing this off the top of my
> >>head)...
> >>ISDN configs ommitted
> >>
> >>hostname r1
> >>encaps ppp
> >>ppp auth chap
> >>username r2 password cisco
> >>
> >>hostname r2
> >>encaps ppp
> >>ppp auth chap

• Next message: Dennis Laganiere: "Identify 1750 models"
• Previous message: tom cheung: "Re: Authentications options in IKE"
• Maybe in reply to: David Luu: "PPP CHAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:00 GMT-3