From: Jonathan V Hays (jhays@jtan.com)
Date: Fri Feb 28 2003 - 19:55:50 GMT-3
RE: my posted excerpt from the "Cisco CCNP Remote Access Exam
Certification Guide"
--- A couple of points to remember:1. From the viewpoint of a given router, the remote router's CHAP hostname is used as a lookup index for the password and that password is used to create the hash which is sent as a challenge or a response. The CHAP hostname is sent along with the challenge or response in the clear - the hostname is not part of the hash.
2. Let's say you are using 'ppp chap hostname' in a one-way authentication. Surprisingly, you will NOT need a corresponding 'ppp chap password' statement. Here's why:
on R1: hostname R1 username R2 password cisco ! int s0 ppp chap hostname FAKE-R1
Action on R1: Create challenge. a. Look up password for R2 in 'username R2 password cisco' b. Feed this password, a CHAP id value, and a random number into the MD5 hash generator. c. Send this challenge to the remote side, along with 'FAKE-R1' (CHAP hostname).
on R2: hostname R2 username FAKE-R1 password cisco
Action on R2: Respond to challenge for CHAP hostname FAKE-R1. a. Look up password for FAKE-R1 in 'username FAKE-R1 password cisco' b. Feed this password, a CHAP id value, and a random number into the MD5 hash generator. c. Send this challenge to the remote side, along with 'R2' (CHAP hostname). ---
Note that none of the above steps has any need for 'ppp chap password cisco' to get the job done.
Interesting, eh?
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:40 GMT-3