Re: ISDN PAP authentication problem

From: Alec Pun (clapun@graduate.hku.hk)
Date: Fri Aug 08 2003 - 05:20:55 GMT-3

• Next message: wing_lam@jossynergy.com: "SAP priority"
• Previous message: Tasuka Amano Hsu: "Re: access list question"
• Maybe in reply to: Alec Pun: "ISDN PAP authentication problem"
• Next in thread: Brian Dennis: "RE: ISDN PAP authentication problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks for your very kind assistance.

Yes you right, the problem was that I merely copied the ppp pap line from
bri0 interface to the dialer1 interface and didn't aware the encrypted
characters are different every time.

BTW, when I typed "ppp pap sent-username R5 password cisco" under interface
bri0, and then do a show run, the line becomes "ppp pap sent-username R5
password 7 110A1016141D". Why does the encryption type=7 actually mean as
pap should be just sending cleartext password ?

regards,
alec
----- Original Message -----
From: "Brian Dennis" <bdennis@internetworkexpert.com>
To: "'Alec Pun'" <clapun@graduate.hku.hk>; <ccielab@groupstudy.com>
Sent: Friday, August 08, 2003 2:58 PM
Subject: RE: ISDN PAP authentication problem

> As a side note you can tell that the dialer interface's pap password
> isn't "cisco" just by looking at it.
>
> They way you can tell that the password under the dialer interface isn't
> "cisco" is because "cisco" when encrypted using Cisco's standard
> encryption algorithm will output a string that is always 12
> digits/characters long ((encrypt string-2)/2). The password under the
> dialer interface when unencrypted is 6 digits/characters long.
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Brian Dennis
> Sent: Thursday, August 07, 2003 11:17 PM
> To: 'Alec Pun'; ccielab@groupstudy.com
> Subject: RE: ISDN PAP authentication problem
>
> Reset the pap password under the dialer interface on R5 to cisco and it
> should work. It looks like there are some extra characters after cisco
> in
> the password.
>
> ppp pap sent-username R5 password cisco
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Alec
> Pun
> Sent: Thursday, August 07, 2003 10:51 PM
> To: ccielab@groupstudy.com
> Subject: ISDN PAP authentication problem
>
> Hi group,
>
> I am trying PAP authentication over ISDN and hit into some problem. One
> side R5 is using dialer profile whereas the other one R6 is using legacy
> configuration. However, ISDN connection can't be established because of
> the
> PAP authentication failure.
>
> I've tried both sides using legacy configuration and it works. Grateful
> if
> any one can give me some hints, thanks.
>
> regards,
> alec
> ------------------------------------------------------------------------
>
> hostname R5
> !
> !
> username R6 password 0 cisco
>
> interface BRI0
> no ip address
> encapsulation ppp
> dialer pool-member 1
> isdn switch-type basic-net3
> isdn spid1 81049306240101
> isdn spid2 81049306250101
> ppp pap sent-username R5 password 7 030752180500
> !
> interface Dialer1
> ip address 1.1.1.5 255.255.255.0
> encapsulation ppp
> dialer pool 1
> dialer remote-name R6
> dialer string 4930622
> dialer-group 1
> pulse-time 0
> ppp authentication pap
> ppp pap sent-username R5 password 7 104D000A061852
> !
> dialer-list 1 protocol ip permit
>
>
> hostname R6
> !
> !
> username R5 password 0 cisco
>
> interface BRI0
> ip address 1.1.1.6 255.255.255.0
> encapsulation ppp
> dialer-group 1
> isdn switch-type basic-net3
> isdn spid1 81049306220101
> isdn spid2 81049306230101
> ppp authentication pap
> ppp pap sent-username R6 password 7 030752180500
> !
> ip classless
> ip http server
> !
> dialer-list 1 protocol ip permit
> !
>
> R5#ping 1.1.1.6
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 1.1.1.6, timeout is 2 seconds:
>
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
> 1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
> 1d20h: BR0:1 PPP: Treating connection as a callout
> 1d20h: BR0:1 PAP: O AUTH-REQ id 44 len 14 from "R5"
> 1d20h: BR0:1 PAP: I AUTH-NAK id 44 len 27 msg is "Authentication
> failure"
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
> 1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
> 1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
> 1d20h: BR0:1 PPP: Treating connection as a callout
> 1d20h: BR0:1 PAP: O AUTH-REQ id 45 len 14 from "R5"
> 1d20h: BR0:1 PAP: I AUTH-NAK id 45 len 27 msg is "Authentication
> failure"
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
> 1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
> 1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
> 1d20h: BR0:1 PPP: Treating connection as a callout
> 1d20h: BR0:1 PAP: O AUTH-REQ id 46 len 14 from "R5"
> 1d20h: BR0:1 PAP: I AUTH-NAK id 46 len 27 msg is "Authentication
> failure"
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
> 1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
> 1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
> 1d20h: BR0:1 PPP: Treating connection as a callout
> 1d20h: BR0:1 PAP: O AUTH-REQ id 47 len 14 from "R5"
> 1d20h: BR0:1 PAP: I AUTH-NAK id 47 len 27 msg is "Authentication
> failure"
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
> 1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
> 1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
> 1d20h: BR0:1 PPP: Treating connection as a callout
> 1d20h: BR0:1 PAP: O AUTH-REQ id 48 len 14 from "R5"
> 1d20h: BR0:1 PAP: I AUTH-NAK id 48 len 27 msg is "Authentication
> failure"
> 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
> Success rate is 0 percent (0/5)
> R5#
> 1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> [GroupStudy removed an attachment of type application/ms-tnef which had
> a name of winmail.dat]
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: wing_lam@jossynergy.com: "SAP priority"
• Previous message: Tasuka Amano Hsu: "Re: access list question"
• Maybe in reply to: Alec Pun: "ISDN PAP authentication problem"
• Next in thread: Brian Dennis: "RE: ISDN PAP authentication problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:55 GMT-3