ISDN PPP authentication

From: Jason Cash (cash2001@swbell.net)
Date: Thu May 29 2003 - 14:43:51 GMT-3

• Next message: Franck ccie: "Cat 3550 as a CE in MPLS environment"
• Previous message: Alvarez, Rolando [NCSUS]: "how to join?"
• Next in thread: Jason Cash: "RE: ISDN PPP authentication"
• Maybe reply: Jason Cash: "RE: ISDN PPP authentication"
• Maybe reply: Jason Cash: "RE: ISDN PPP authentication"
• Maybe reply: Brian Dennis: "RE: ISDN PPP authentication"
• Maybe reply: Brian Dennis: "RE: ISDN PPP authentication"
• Maybe reply: Brian Dennis: "RE: ISDN PPP authentication"
• Maybe reply: Jung, Jin: "RE: ISDN PPP authentication"
• Maybe reply: Hossam Mahmoud: "RE: ISDN PPP authentication"
• Maybe reply: Jason Cash: "RE: ISDN PPP authentication"
• Maybe reply: Daniel Cisco Group Study: "RE: ISDN PPP authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am trying to complete a task that instructs:

Config R2 to authenticate R5 only when R5 calls R2.

The solution has R2 configured with:

R2

interface BRI0

ip address 110.99.25.2 255.255.255.192

encapsulation ppp

dialer callback-secure

ppp callback accept

ppp authentication chap callback

R5

interface BRI0

ip address 110.99.25.5 255.255.255.192

encapsulation ppp

ppp callback request

ppp authentication chap

In doing a debug PPP auth. Here is what I get: (Just for clarification, an
"I" means incoming and "O" is outbound correct)
with 'ppp auth chap callback'
R2
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callin
BR0:1 CHAP: I CHALLENGE id 45 len 23 from "r5"
BR0:1 CHAP: O RESPONSE id 45 len 23 from "r2"
BR0:1 CHAP: I SUCCESS id 45 len 4
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662 r5
%LINK-3-UPDOWN: Interface BRI0:1, changed state to down
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callout
BR0:1 CHAP: I CHALLENGE id 46 len 23 from "r5"
BR0:1 CHAP: O RESPONSE id 46 len 23 from "r2"
BR0:1 CHAP: I SUCCESS id 46 len 4
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
Vi1 PPP: Treating connection as a callout
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed
state to up
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662 r5

R5
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callout
BR0:1 CHAP: O CHALLENGE id 45 len 23 from "r5"
BR0:1 CHAP: I RESPONSE id 45 len 23 from "r2"
BR0:1 CHAP: O SUCCESS id 45 len 4
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r2
%LINK-3-UPDOWN: Interface BRI0:1, changed state to down
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callin
BR0:1 CHAP: O CHALLENGE id 46 len 23 from "r5"
BR0:1 CHAP: I RESPONSE id 46 len 23 from "r2"
BR0:1 CHAP: O SUCCESS id 46 len 4
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
Vi1 PPP: Treating connection as a callin
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed
state to up
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r2

As you can see, with the 'callback' option on R2, R5 is challenging R2 which
responds. R2 then calls R5 back and is challenged by R5 AGAIN. (Do you see
my confusion?) It appears that with the 'callback' on R2, R2 is not doing
any challenging, which would make sense as it is waiting for a callback from
R5 to challenge. This will never happen as R2 is the callback server.

-------------------------------------------------
with 'ppp auth chap callin'

Here is router 2:

BR0:1 PPP: Treating connection as a callin
BR0:1 CHAP: O CHALLENGE id 27 len 23 from "r2"
BR0:1 CHAP: I CHALLENGE id 43 len 23 from "r5"
BR0:1 CHAP: Waiting for peer to authenticate first
BR0:1 CHAP: I RESPONSE id 27 len 23 from "r5"
BR0:1 CHAP: O SUCCESS id 27 len 4
BR0:1 CHAP: Processing saved Challenge, id 43
BR0:1 CHAP: O RESPONSE id 43 len 23 from "r2"
BR0:1 CHAP: I SUCCESS id 43 len 4
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662 r5
%LINK-3-UPDOWN: Interface BRI0:1, changed state to down
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callout
BR0:1 CHAP: I CHALLENGE id 44 len 23 from "r5"
BR0:1 CHAP: O RESPONSE id 44 len 23 from "r2"
BR0:1 CHAP: I SUCCESS id 44 len 4
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
Vi1 PPP: Treating connection as a callout
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed
state to up
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662 r5

Here is R5
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callout
BR0:1 CHAP: O CHALLENGE id 43 len 23 from "r5"
BR0:1 CHAP: I CHALLENGE id 27 len 23 from "r2"
BR0:1 CHAP: O RESPONSE id 27 len 23 from "r5"
BR0:1 CHAP: I SUCCESS id 27 len 4
BR0:1 CHAP: I RESPONSE id 43 len 23 from "r2"
BR0:1 CHAP: O SUCCESS id 43 len 4
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r2
%LINK-3-UPDOWN: Interface BRI0:1, changed state to down
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callin
BR0:1 CHAP: O CHALLENGE id 44 len 23 from "r5"
BR0:1 CHAP: I RESPONSE id 44 len 23 from "r2"
BR0:1 CHAP: O SUCCESS id 44 len 4
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
Vi1 PPP: Treating connection as a callin
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed
state to up
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r2

With the 'callin' option, R2 immediately challenges R5 (which is what is
instructed) then calls back and gets challenged by R5.

Am I interpretting this correctly?

• Next message: Franck ccie: "Cat 3550 as a CE in MPLS environment"
• Previous message: Alvarez, Rolando [NCSUS]: "how to join?"
• Next in thread: Jason Cash: "RE: ISDN PPP authentication"
• Maybe reply: Jason Cash: "RE: ISDN PPP authentication"
• Maybe reply: Jason Cash: "RE: ISDN PPP authentication"
• Maybe reply: Brian Dennis: "RE: ISDN PPP authentication"
• Maybe reply: Brian Dennis: "RE: ISDN PPP authentication"
• Maybe reply: Brian Dennis: "RE: ISDN PPP authentication"
• Maybe reply: Jung, Jin: "RE: ISDN PPP authentication"
• Maybe reply: Hossam Mahmoud: "RE: ISDN PPP authentication"
• Maybe reply: Jason Cash: "RE: ISDN PPP authentication"
• Maybe reply: Daniel Cisco Group Study: "RE: ISDN PPP authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:50 GMT-3