From: Jonathan V Hays (jhays@jtan.com)
Date: Sun May 04 2003 - 15:05:15 GMT-3
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of Tom Young
> Sent: Sunday, May 04, 2003 11:55 AM
> To: ccielab@groupstudy.com
> Subject: ppp authentication
>
>
> Hi, group,
>
> When I use the bri interface and ppp for dial-up, I set
> the one-way authentication for ppp, by the ppp
> authentication chap callin command, and I found I have to
> set the user xx password xx on BOTH side of dial-up
> routers. Even the ONE-WAY authentication, why?
>
> Thanks alot
Both sides use the same password to generate a hash, so both routers
must be configured with the same password (or no password) corresponding
to the CHAP name. In one-way authentication, the following takes place:
1. R1 sends a challenge, along with its CHAP name, R1.
2. R2 receives the challenge, looks up the password for R1, computes a
hash using the password and some other information, and responds to R1's
challenge with the hash and its own CHAP name (R2).
3. R1 receives R2's hash, looks up the password R2's CHAP name and
computes the hash.
4. If both hashes match, R1 sends a "success" message to R2.
The command "debug ppp auth" produces this:
00:48:58: Se0 CHAP: O CHALLENGE id 124 len 27 from "R1"
00:48:58: Se0 CHAP: I RESPONSE id 124 len 27 from "R2"
00:48:58: Se0 CHAP: O SUCCESS id 124 len 4
In two-way authentication, the other router also initiates a challenge
and the above procedure is used in the reverse direction:
01:02:04: Se0 PPP: Treating connection as a dedicated line
01:02:04: Se0 CHAP: O CHALLENGE id 126 len 27 from "R1"
01:02:04: Se0 CHAP: I CHALLENGE id 45 len 27 from "R2"
01:02:04: Se0 CHAP: O RESPONSE id 45 len 27 from "R1"
01:02:04: Se0 CHAP: I RESPONSE id 126 len 27 from "R2"
01:02:04: Se0 CHAP: O SUCCESS id 126 len 4
01:02:05: Se0 CHAP: I SUCCESS id 45 len 4
Hope that helps.
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:36 GMT-3