RE: ISDN PPP authentication

From: Brian Dennis (brian@labforge.com)
Date: Thu May 29 2003 - 20:06:34 GMT-3

• Next message: Brian Dennis: "RE: ISDN PPP authentication"
• Previous message: Jason Cash: "RE: ISDN PPP authentication"
• Maybe in reply to: Jason Cash: "ISDN PPP authentication"
• Next in thread: Brian Dennis: "RE: ISDN PPP authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You added the "ppp authentication chap" command which isn't a default.
The default is to be authenticated but not authenticate. If you don't
want to be authenticated then use the "ppp chap|pap refuse" command.

Try removing the "ppp authentication chap" command from R5 and see what
happens.

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jason Cash
Sent: Thursday, May 29, 2003 1:44 PM
To: 'Brian Dennis'; ccielab@groupstudy.com
Subject: RE: ISDN PPP authentication

Being that it isn't stated how R5 should be treated in regard to
authentication, I left it at it's default, which it to challenge
correct?

All that was instructed was for R2 to authenticate R5 ONLY when R5 calls
R2.
I would think that 'ppp authentication callin' would accomplish this.

How does the provided solution solve the task? Wouldn't 'ppp
authentication
callback' on R2 only have R2 authenticate R5 when R5 calls R2 on
callback?
Maybe I am confusing this but is there a document that will explain
this?

-----Original Message-----
From: Brian Dennis [mailto:brian@labforge.com]
Sent: Thursday, May 29, 2003 2:30 PM
To: 'Jason Cash'; ccielab@groupstudy.com

Jason,
Why do you have R5 authenticating R2? The task doesn't ask for R5 to
authenticate R2. Was that in another part of the practice lab?

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jason Cash
Sent: Thursday, May 29, 2003 10:44 AM
To: ccielab@groupstudy.com
Subject: ISDN PPP authentication

I am trying to complete a task that instructs:

Config R2 to authenticate R5 only when R5 calls R2.

The solution has R2 configured with:

R2

interface BRI0

ip address 110.99.25.2 255.255.255.192

encapsulation ppp

dialer callback-secure

ppp callback accept

ppp authentication chap callback

R5

interface BRI0

ip address 110.99.25.5 255.255.255.192

encapsulation ppp

ppp callback request

ppp authentication chap

In doing a debug PPP auth. Here is what I get: (Just for clarification,
an
"I" means incoming and "O" is outbound correct)
with 'ppp auth chap callback'
R2
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callin
BR0:1 CHAP: I CHALLENGE id 45 len 23 from "r5"
BR0:1 CHAP: O RESPONSE id 45 len 23 from "r2"
BR0:1 CHAP: I SUCCESS id 45 len 4
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662 r5
%LINK-3-UPDOWN: Interface BRI0:1, changed state to down
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callout
BR0:1 CHAP: I CHALLENGE id 46 len 23 from "r5"
BR0:1 CHAP: O RESPONSE id 46 len 23 from "r2"
BR0:1 CHAP: I SUCCESS id 46 len 4
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
Vi1 PPP: Treating connection as a callout
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to
up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed
state to up
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662 r5

R5
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callout
BR0:1 CHAP: O CHALLENGE id 45 len 23 from "r5"
BR0:1 CHAP: I RESPONSE id 45 len 23 from "r2"
BR0:1 CHAP: O SUCCESS id 45 len 4
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r2
%LINK-3-UPDOWN: Interface BRI0:1, changed state to down
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callin
BR0:1 CHAP: O CHALLENGE id 46 len 23 from "r5"
BR0:1 CHAP: I RESPONSE id 46 len 23 from "r2"
BR0:1 CHAP: O SUCCESS id 46 len 4
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
Vi1 PPP: Treating connection as a callin
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to
up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed
state to up
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r2

As you can see, with the 'callback' option on R2, R5 is challenging R2
which
responds. R2 then calls R5 back and is challenged by R5 AGAIN. (Do you
see
my confusion?) It appears that with the 'callback' on R2, R2 is not
doing
any challenging, which would make sense as it is waiting for a callback
from
R5 to challenge. This will never happen as R2 is the callback server.

-------------------------------------------------
with 'ppp auth chap callin'

Here is router 2:

BR0:1 PPP: Treating connection as a callin
BR0:1 CHAP: O CHALLENGE id 27 len 23 from "r2"
BR0:1 CHAP: I CHALLENGE id 43 len 23 from "r5"
BR0:1 CHAP: Waiting for peer to authenticate first
BR0:1 CHAP: I RESPONSE id 27 len 23 from "r5"
BR0:1 CHAP: O SUCCESS id 27 len 4
BR0:1 CHAP: Processing saved Challenge, id 43
BR0:1 CHAP: O RESPONSE id 43 len 23 from "r2"
BR0:1 CHAP: I SUCCESS id 43 len 4
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662 r5
%LINK-3-UPDOWN: Interface BRI0:1, changed state to down
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callout
BR0:1 CHAP: I CHALLENGE id 44 len 23 from "r5"
BR0:1 CHAP: O RESPONSE id 44 len 23 from "r2"
BR0:1 CHAP: I SUCCESS id 44 len 4
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
Vi1 PPP: Treating connection as a callout
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to
up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed
state to up
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358662 r5

Here is R5
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callout
BR0:1 CHAP: O CHALLENGE id 43 len 23 from "r5"
BR0:1 CHAP: I CHALLENGE id 27 len 23 from "r2"
BR0:1 CHAP: O RESPONSE id 27 len 23 from "r5"
BR0:1 CHAP: I SUCCESS id 27 len 4
BR0:1 CHAP: I RESPONSE id 43 len 23 from "r2"
BR0:1 CHAP: O SUCCESS id 43 len 4
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r2
%LINK-3-UPDOWN: Interface BRI0:1, changed state to down
%LINK-3-UPDOWN: Interface BRI0:1, changed state to up
BR0:1 PPP: Treating connection as a callin
BR0:1 CHAP: O CHALLENGE id 44 len 23 from "r5"
BR0:1 CHAP: I RESPONSE id 44 len 23 from "r2"
BR0:1 CHAP: O SUCCESS id 44 len 4
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
Vi1 PPP: Treating connection as a callin
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to
up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed
state to up
%ISDN-6-CONNECT: Interface BRI0:1 is now connected to 8358661 r2

With the 'callin' option, R2 immediately challenges R5 (which is what is
instructed) then calls back and gets challenged by R5.

Am I interpretting this correctly?

• Next message: Brian Dennis: "RE: ISDN PPP authentication"
• Previous message: Jason Cash: "RE: ISDN PPP authentication"
• Maybe in reply to: Jason Cash: "ISDN PPP authentication"
• Next in thread: Brian Dennis: "RE: ISDN PPP authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:50 GMT-3