RE: ppp authentication

From: Tom Young (gitsyoung@yahoo.co.jp)
Date: Sun May 04 2003 - 22:52:07 GMT-3

• Next message: Charles Church: "RE: how to disable "cef" on catalyst 4006?"
• Previous message: Jonathan V Hays: "RE: 2501 Boot Flash Problem"
• Maybe in reply to: Tom Young: "ppp authentication"
• Next in thread: FATHALLAH: "RE: ppp authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Honathan, thank you very much, I understood it now.
But one more question, you said both sides uset the
password to generate a hash for chap challenge,but if I
use the pap for one-way authentication, I don't need make
user xx pass xx on both side routers , right?

Thanks again

 --- Jonathan V Hays <jhays@jtan.com> $B$+$i$N%a%C%;!<%8!'(B
> > -----Original Message-----
> > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On
> > Behalf Of Tom Young
> > Sent: Sunday, May 04, 2003 11:55 AM
> > To: ccielab@groupstudy.com
> > Subject: ppp authentication
> >
> >
> > Hi, group,
> >
> > When I use the bri interface and ppp for
> dial-up, I set
> > the one-way authentication for ppp, by the ppp
> > authentication chap callin command, and I found I
> have to
> > set the user xx password xx on BOTH side of
> dial-up
> > routers. Even the ONE-WAY authentication, why?
> >
> > Thanks alot
>
> Both sides use the same password to generate a hash,
> so both routers
> must be configured with the same password (or no
> password) corresponding
> to the CHAP name. In one-way authentication, the
> following takes place:
>
> 1. R1 sends a challenge, along with its CHAP name,
> R1.
>
> 2. R2 receives the challenge, looks up the password
> for R1, computes a
> hash using the password and some other information,
> and responds to R1's
> challenge with the hash and its own CHAP name (R2).
>
> 3. R1 receives R2's hash, looks up the password R2's
> CHAP name and
> computes the hash.
>
> 4. If both hashes match, R1 sends a "success"
> message to R2.
>
> The command "debug ppp auth" produces this:
>
> 00:48:58: Se0 CHAP: O CHALLENGE id 124 len 27 from
> "R1"
> 00:48:58: Se0 CHAP: I RESPONSE id 124 len 27 from
> "R2"
> 00:48:58: Se0 CHAP: O SUCCESS id 124 len 4
>
> In two-way authentication, the other router also
> initiates a challenge
> and the above procedure is used in the reverse
> direction:
>
> 01:02:04: Se0 PPP: Treating connection as a
> dedicated line
> 01:02:04: Se0 CHAP: O CHALLENGE id 126 len 27 from
> "R1"
> 01:02:04: Se0 CHAP: I CHALLENGE id 45 len 27 from
> "R2"
> 01:02:04: Se0 CHAP: O RESPONSE id 45 len 27 from
> "R1"
> 01:02:04: Se0 CHAP: I RESPONSE id 126 len 27 from
> "R2"
> 01:02:04: Se0 CHAP: O SUCCESS id 126 len 4
> 01:02:05: Se0 CHAP: I SUCCESS id 45 len 4
>
> Hope that helps.

• Next message: Charles Church: "RE: how to disable "cef" on catalyst 4006?"
• Previous message: Jonathan V Hays: "RE: 2501 Boot Flash Problem"
• Maybe in reply to: Tom Young: "ppp authentication"
• Next in thread: FATHALLAH: "RE: ppp authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:37 GMT-3