From: p729@cox.net
Date: Thu Feb 27 2003 - 13:43:30 GMT-3
Michael,
With PAP, the password is sent across the wire in plain-text, effectively: "here is my username and password, authenticate me." The authenticator simply does a lookup. What's important is the PAP sent-username and password and the username and password on the authenticator match. The username and password on the authenticatee (side requesting to be authenticated is superflurous.
With CHAP, the password itself is never actually sent over the wire, only a hashed version of it. All the authenticator knows is "who am I authenticating?" Somehow, the authenticator must derive the same hash that the authenticatee sent so the results of a comparison will be a match. In order to derive the same hash, the passwords MUST be the SAME for a given username. Don't be fooled by claims of being able to use different passwords on each end with CHAP. In reality, different USERNAMES and passwords are being used--it's the only way it can work.
Regards,
Mas Kato
https://ecardfile.com/mkato
============================================================
From: "Michael Snyder" <msnyder@revolutioncomputer.com>
Date: 2003/02/26 Wed PM 08:24:45 EST
To: "'ccie2be'" <ccie2be@nyc.rr.com>
CC: <ccielab@groupstudy.com>
Subject: RE: Amazing but true
I've come to conclusion that the number of responses you get from
groupstudy plotted out looks like a bell curve.
The closer you are getting to passing the lab, the number of responses
decreases.
Here's a good example, I asked this last year and never got a reponse.
Why with PAP does the user passwords stay the same on both isdn routers.
Router A
Username A password 0 pass1
Username B password 0 pass2
Router B
Username A password 0 pass1
Username B password 0 pass2
And with CHAP, you transpose the passwords on one of the routers?
Router A
Username A password 0 pass1
Username B password 0 pass2
Router B
Username A password 0 pass2
Username B password 0 pass1
I understand the CHAP and PAP processes, I have watched the debugs many
times.
Still why would cisco program the isdn functionality that you have to
change the user password arrangement depending on chap vs pap?
-----Ori
ginal Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Wednesday, February 26, 2003 1:50 PM
To: Group Study
Subject: Amazing but true
Hi everyone,
Over the past few weeks, several times I've posted a question regarding
the
two types of care-of-addresses used with Mobile IP. My question
concerned
what detemines which type of address is used and whether the type used
is
something that's configured on the router or determined by some other
means -
perhaps the software installed on the mobile client.
What surprises me though is that there hasn't been one single response!
I
don't understand how that could be. I've searched thru both the Group
Study
archieves and Cisco's documentation and found nothing addressing this
question. I also know that mobile IP is fair game for the lab, so I'm
amazed
that this question continues to go unanswered.
And, though I can't understand why that is I've come up with 2 theories:
a) nobody knows
b) nobody cares
I can't imagine that nobody on groupstudy knows this - this is probably
the
most knowledgable group of networking professional in the world - so
let's nix
that idea.
Could it be that nobody cares? That's also hard to imagine. Everyday,
questions seemingly far more esoteric are posted and responded to.
Besides,
there must be at least a few people who might need to implement Mobile
IP in
the near future and they would certainly need to know about this. And,
even
if nobody at the moment needed to know about this for work, most people
on
group study seemed to be very intellectually curious So, let's nix this
theory
as well.
Well, I hope this sparks some discussion, and maybe, in the process,
generates
the answer to the original question.
What do you think?
Jim
============================================================
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:38 GMT-3