Re: ISDN PAP authentication problem

From: huangg (bgv@ggv.com.cn)
Date: Fri Aug 08 2003 - 23:51:46 GMT-3

• Next message: Tony Schaffran: "RE: Cat 3550"
• Previous message: Mike Williams: "RE: E-1 channels"
• Maybe in reply to: Alec Pun: "ISDN PAP authentication problem"
• Next in thread: asadovnikov: "RE: ISDN PAP authentication problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

hi,Dennnis:
    when i using the same password in "ppp pap sent-username cisco password
same_password",after cisco's standard encryption,the encrypted password
isnot the same .why it is ?
best regard!
huangg
----- Original Message -----
From: "Brian Dennis" <bdennis@internetworkexpert.com>
To: "'Alec Pun'" <clapun@graduate.hku.hk>; <ccielab@groupstudy.com>
Sent: Saturday, August 09, 2003 1:35 AM
Subject: RE: ISDN PAP authentication problem

> There are two options when putting the password in for the ppp pap
> sent-username command. The first is to enter the password in clear text.
>
>
> ppp pap sent-username cisco password cisco
> or
> ppp pap sent-username cisco password 0 cisco
>
> The second option is to enter your password after it has already been
> encrypted using Cisco's standard encryption algorithm.
>
> ppp pap sent-username cisco password 7 070C285F4D06
>
> The second option is just telling the router that the password is
> already in encrypted format. This encryption only pertains to how the
> password is stored in the configuration and doesn't mean the password
> will be sent across the line in encrypted format.
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Alec Pun
> Sent: Friday, August 08, 2003 1:21 AM
> To: Brian Dennis; ccielab@groupstudy.com
> Subject: Re: ISDN PAP authentication problem
>
> Thanks for your very kind assistance.
>
> Yes you right, the problem was that I merely copied the ppp pap line
> from
> bri0 interface to the dialer1 interface and didn't aware the encrypted
> characters are different every time.
>
> BTW, when I typed "ppp pap sent-username R5 password cisco" under
> interface
> bri0, and then do a show run, the line becomes "ppp pap sent-username R5
> password 7 110A1016141D". Why does the encryption type=7 actually mean
> as
> pap should be just sending cleartext password ?
>
>
> regards,
> alec
> ----- Original Message -----
> From: "Brian Dennis" <bdennis@internetworkexpert.com>
> To: "'Alec Pun'" <clapun@graduate.hku.hk>; <ccielab@groupstudy.com>
> Sent: Friday, August 08, 2003 2:58 PM
> Subject: RE: ISDN PAP authentication problem
>
>
> > As a side note you can tell that the dialer interface's pap password
> > isn't "cisco" just by looking at it.
> >
> > They way you can tell that the password under the dialer interface
> isn't
> > "cisco" is because "cisco" when encrypted using Cisco's standard
> > encryption algorithm will output a string that is always 12
> > digits/characters long ((encrypt string-2)/2). The password under the
> > dialer interface when unencrypted is 6 digits/characters long.
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > bdennis@internetworkexpert.com
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Brian Dennis
> > Sent: Thursday, August 07, 2003 11:17 PM
> > To: 'Alec Pun'; ccielab@groupstudy.com
> > Subject: RE: ISDN PAP authentication problem
> >
> > Reset the pap password under the dialer interface on R5 to cisco and
> it
> > should work. It looks like there are some extra characters after cisco
> > in
> > the password.
> >
> > ppp pap sent-username R5 password cisco
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > bdennis@internetworkexpert.com
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Alec
> > Pun
> > Sent: Thursday, August 07, 2003 10:51 PM
> > To: ccielab@groupstudy.com
> > Subject: ISDN PAP authentication problem
> >
> > Hi group,
> >
> > I am trying PAP authentication over ISDN and hit into some problem.
> One
> > side R5 is using dialer profile whereas the other one R6 is using
> legacy
> > configuration. However, ISDN connection can't be established because
> of
> > the
> > PAP authentication failure.
> >
> > I've tried both sides using legacy configuration and it works.
> Grateful
> > if
> > any one can give me some hints, thanks.
> >
> > regards,
> > alec
> >
> ------------------------------------------------------------------------
> >
> > hostname R5
> > !
> > !
> > username R6 password 0 cisco
> >
> > interface BRI0
> > no ip address
> > encapsulation ppp
> > dialer pool-member 1
> > isdn switch-type basic-net3
> > isdn spid1 81049306240101
> > isdn spid2 81049306250101
> > ppp pap sent-username R5 password 7 030752180500
> > !
> > interface Dialer1
> > ip address 1.1.1.5 255.255.255.0
> > encapsulation ppp
> > dialer pool 1
> > dialer remote-name R6
> > dialer string 4930622
> > dialer-group 1
> > pulse-time 0
> > ppp authentication pap
> > ppp pap sent-username R5 password 7 104D000A061852
> > !
> > dialer-list 1 protocol ip permit
> >
> >
> > hostname R6
> > !
> > !
> > username R5 password 0 cisco
> >
> > interface BRI0
> > ip address 1.1.1.6 255.255.255.0
> > encapsulation ppp
> > dialer-group 1
> > isdn switch-type basic-net3
> > isdn spid1 81049306220101
> > isdn spid2 81049306230101
> > ppp authentication pap
> > ppp pap sent-username R6 password 7 030752180500
> > !
> > ip classless
> > ip http server
> > !
> > dialer-list 1 protocol ip permit
> > !
> >
> > R5#ping 1.1.1.6
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 1.1.1.6, timeout is 2 seconds:
> >
> > 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
> > 1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
> > 1d20h: BR0:1 PPP: Treating connection as a callout
> > 1d20h: BR0:1 PAP: O AUTH-REQ id 44 len 14 from "R5"
> > 1d20h: BR0:1 PAP: I AUTH-NAK id 44 len 27 msg is "Authentication
> > failure"
> > 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
> > 1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
> > 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
> > 1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
> > 1d20h: BR0:1 PPP: Treating connection as a callout
> > 1d20h: BR0:1 PAP: O AUTH-REQ id 45 len 14 from "R5"
> > 1d20h: BR0:1 PAP: I AUTH-NAK id 45 len 27 msg is "Authentication
> > failure"
> > 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
> > 1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
> > 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
> > 1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
> > 1d20h: BR0:1 PPP: Treating connection as a callout
> > 1d20h: BR0:1 PAP: O AUTH-REQ id 46 len 14 from "R5"
> > 1d20h: BR0:1 PAP: I AUTH-NAK id 46 len 27 msg is "Authentication
> > failure"
> > 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
> > 1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
> > 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
> > 1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
> > 1d20h: BR0:1 PPP: Treating connection as a callout
> > 1d20h: BR0:1 PAP: O AUTH-REQ id 47 len 14 from "R5"
> > 1d20h: BR0:1 PAP: I AUTH-NAK id 47 len 27 msg is "Authentication
> > failure"
> > 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
> > 1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
> > 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
> > 1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
> > 1d20h: BR0:1 PPP: Treating connection as a callout
> > 1d20h: BR0:1 PAP: O AUTH-REQ id 48 len 14 from "R5"
> > 1d20h: BR0:1 PAP: I AUTH-NAK id 48 len 27 msg is "Authentication
> > failure"
> > 1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
> > Success rate is 0 percent (0/5)
> > R5#
> > 1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
> >
> >
> >
> _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > [GroupStudy removed an attachment of type application/ms-tnef which
> had
> > a name of winmail.dat]
> >
> >
> >
> _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Tony Schaffran: "RE: Cat 3550"
• Previous message: Mike Williams: "RE: E-1 channels"
• Maybe in reply to: Alec Pun: "ISDN PAP authentication problem"
• Next in thread: asadovnikov: "RE: ISDN PAP authentication problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:56 GMT-3