From: Brian McGahan (brian@mcgahan.com)
Date: Mon Jul 21 2003 - 13:47:28 GMT-3
Fathallah,
With CHAP authentication, you are not sending the password to
authenticate. Instead, you sent a hash that represents the password.
During the negotiation phase, the devices negotiate a magic
number. This number along with the password is put into the CHAP
algorithm, and out comes a hash value. The hash value is then sent over
the line. Unless the hash value matches, authentication will fail.
Since you can't get the same hash without the same password, CHAP
implies that the password must match on both sides.
HTH,
Brian McGahan, CCIE #8593
brian@mcgahan.com
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> FATHALLAH
> Sent: Monday, July 21, 2003 11:24 AM
> To: Ccielab
> Cc: cciegroupstudies
> Subject: many remote router in two way chap
>
> Hi group,
>
> It is normal that the IOS require the same password for two diffrent
ISDN
> remote router in two way ppp chap authentication . that's mean for all
> remote customer we can have diffrent hostname but the same password is
> required. some one can tell me that is false. and send me the correct
> config
> of my R6 router conecting R5 and R1 router.
>
> R6#sh run
> Building configuration...
>
> Current configuration:
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname R6
> !
> !
> username R5 password 0 cisco
> username oujda password 0 oujda
> !
> !
> !
> !
> ip subnet-zero
> no ip domain-lookup
> !
> lane client flush
> isdn switch-type basic-net3
> !
> !
> !
> !
> !
> !
> !
> !
> interface Loopback0
> ip address 150.10.6.6 255.255.255.0
> !
> interface Ethernet0/0
> ip address 200.100.100.6 255.255.255.0
> !
> interface Serial0/0
> ip address 150.10.60.6 255.255.255.0
> encapsulation frame-relay
> ip ospf message-digest-key 1 md5 cisco
> ip ospf network point-to-point
> shutdown
> no fair-queue
> frame-relay map ip 150.10.60.5 605 broadcast
> !
> interface BRI0/0
> no ip address
> encapsulation ppp
> dialer pool-member 1
> isdn switch-type basic-net3
> ppp authentication chap
> !
> interface Serial0/1
> no ip address
> shutdown
> !
> interface Dialer0
> ip address 150.10.65.2 255.255.255.252
> encapsulation ppp
> dialer remote-name R5
> dialer pool 1
> dialer string 250
> dialer max-call 4096
> dialer-group 1
> ppp authentication chap
> ppp chap password 7 110A1016141D
> !
> interface Dialer1
> ip address 150.10.56.2 255.255.255.0
> encapsulation ppp
> dialer remote-name Oujda
> dialer pool 1
> dialer string 250
> dialer max-call 4096
> dialer-group 1
> ppp authentication chap
> ppp chap password 7 02050D480809
> !
> router ospf 1
> area 5 authentication message-digest
> redistribute rip metric-type 1 subnets route-map only-even
> network 150.10.6.6 0.0.0.0 area 5
> network 150.10.60.0 0.0.0.255 area 5
> !
> router rip
> redistribute ospf 1 metric 2
> network 200.100.100.0
> !
> router bgp 6
> bgp confederation identifier 22
> bgp confederation peers 250
> neighbor 150.10.5.5 remote-as 250
> neighbor 150.10.5.5 ebgp-multihop 255
> neighbor 150.10.5.5 update-source Loopback0
> neighbor 200.100.100.13 remote-as 130
> neighbor 200.100.100.13 weight 1000
> !
> ip classless
> no ip http server
> !
> access-list 10 permit 198.5.1.0 0.0.254.255
> dialer-list 1 protocol ip permit
> route-map only-even deny 10
> match ip address 10
> !
> route-map only-even permit 20
> !
> !
> line con 0
> logging synchronous
> transport input none
> line aux 0
> line vty 0 4
> !
> no scheduler allocate
> end
>
> R6#
>
>
>
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:47 GMT-3