From: MMoniz (ccie2002@tampabay.rr.com)
Date: Sat Aug 09 2003 - 18:01:29 GMT-3
Awe yes...spaces can kill you....especially in a production environment.
Rule:
NEVER copy and paste passwords
Not that this is what you did, but just stating..
Always manually enter passwords everywhere. And be sure when you do. White
space
errors are very difficult to find, and if it is in the lab, by the time you
find it
it is time to leave!!
And then you wonder why my IGP score was 0. It can kill you!!
And I don't mean "you" personally, I mean it as a sense.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Phuong
Sent: Saturday, August 09, 2003 4:28 PM
To: 'asadovnikov'; 'Brian Dennis'; 'Alec Pun'; ccielab@groupstudy.com
Subject: RE: ISDN PAP authentication problem
I found a stupid mistake that I got sometime,
When I set a password, in many case, I try to discover with parameter
could follow this command (a habit). So I continue with a space the? ...
Then, you can guess, I forget to backspace and my password include an
empty space that cannot find out with reviewing configuration but only
with debug.
For example
R2(config-if)#ip ospf message-digest-key ?
<1-255> Key ID
R2(config-if)#ip ospf message-digest-key 1 md5 ?
<0-7> Encryption type (0 for not yet encrypted, 7 for proprietary)
LINE The OSPF password (key)
R2(config-if)#ip ospf message-digest-key 1 md5 cisco ?
LINE <cr>
R2(config-if)#ip ospf message-digest-key 1 md5 cisco
R2(config-if)#
I guess some people have the same habit like me, and same mistake
Hope you can avoid it next time
Phuong
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
asadovnikov
Sent: Saturday, August 09, 2003 1:24 PM
To: 'Brian Dennis'; 'Alec Pun'; ccielab@groupstudy.com
Subject: RE: ISDN PAP authentication problem
Excellent point. I was wondering if the password was the same on the
both
sides myself (as it is often the case), but my password descriptor does
not
show spaces. All the passwords were "cisco" or "cisco ", and I had no
way
to tell the difference.
Thank you for bringing up this dependency on the string length. Is it
documented anywhere?
Best regards,
Alexei
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Brian Dennis
Sent: Friday, August 08, 2003 2:59 AM
To: 'Alec Pun'; ccielab@groupstudy.com
Subject: RE: ISDN PAP authentication problem
As a side note you can tell that the dialer interface's pap password
isn't "cisco" just by looking at it.
They way you can tell that the password under the dialer interface isn't
"cisco" is because "cisco" when encrypted using Cisco's standard
encryption algorithm will output a string that is always 12
digits/characters long ((encrypt string-2)/2). The password under the
dialer interface when unencrypted is 6 digits/characters long.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian Dennis
Sent: Thursday, August 07, 2003 11:17 PM
To: 'Alec Pun'; ccielab@groupstudy.com
Subject: RE: ISDN PAP authentication problem
Reset the pap password under the dialer interface on R5 to cisco and it
should work. It looks like there are some extra characters after cisco
in
the password.
ppp pap sent-username R5 password cisco
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Alec
Pun
Sent: Thursday, August 07, 2003 10:51 PM
To: ccielab@groupstudy.com
Subject: ISDN PAP authentication problem
Hi group,
I am trying PAP authentication over ISDN and hit into some problem. One
side R5 is using dialer profile whereas the other one R6 is using legacy
configuration. However, ISDN connection can't be established because of
the
PAP authentication failure.
I've tried both sides using legacy configuration and it works. Grateful
if
any one can give me some hints, thanks.
regards,
alec
------------------------------------------------------------------------
hostname R5
!
!
username R6 password 0 cisco
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
isdn spid1 81049306240101
isdn spid2 81049306250101
ppp pap sent-username R5 password 7 030752180500
!
interface Dialer1
ip address 1.1.1.5 255.255.255.0
encapsulation ppp
dialer pool 1
dialer remote-name R6
dialer string 4930622
dialer-group 1
pulse-time 0
ppp authentication pap
ppp pap sent-username R5 password 7 104D000A061852
!
dialer-list 1 protocol ip permit
hostname R6
!
!
username R5 password 0 cisco
interface BRI0
ip address 1.1.1.6 255.255.255.0
encapsulation ppp
dialer-group 1
isdn switch-type basic-net3
isdn spid1 81049306220101
isdn spid2 81049306230101
ppp authentication pap
ppp pap sent-username R6 password 7 030752180500
!
ip classless
ip http server
!
dialer-list 1 protocol ip permit
!
R5#ping 1.1.1.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.6, timeout is 2 seconds:
1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
1d20h: BR0:1 PPP: Treating connection as a callout
1d20h: BR0:1 PAP: O AUTH-REQ id 44 len 14 from "R5"
1d20h: BR0:1 PAP: I AUTH-NAK id 44 len 27 msg is "Authentication
failure"
1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
1d20h: BR0:1 PPP: Treating connection as a callout
1d20h: BR0:1 PAP: O AUTH-REQ id 45 len 14 from "R5"
1d20h: BR0:1 PAP: I AUTH-NAK id 45 len 27 msg is "Authentication
failure"
1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
1d20h: BR0:1 PPP: Treating connection as a callout
1d20h: BR0:1 PAP: O AUTH-REQ id 46 len 14 from "R5"
1d20h: BR0:1 PAP: I AUTH-NAK id 46 len 27 msg is "Authentication
failure"
1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
1d20h: BR0:1 PPP: Treating connection as a callout
1d20h: BR0:1 PAP: O AUTH-REQ id 47 len 14 from "R5"
1d20h: BR0:1 PAP: I AUTH-NAK id 47 len 27 msg is "Authentication
failure"
1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
1d20h: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
1d20h: BR0:1 PPP: Treating connection as a callout
1d20h: BR0:1 PAP: O AUTH-REQ id 48 len 14 from "R5"
1d20h: BR0:1 PAP: I AUTH-NAK id 48 len 27 msg is "Authentication
failure"
1d20h: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down.
Success rate is 0 percent (0/5)
R5#
1d20h: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:56 GMT-3