From: Jonathan V Hays (jhays@jtan.com)
Date: Thu Nov 06 2003 - 11:52:45 GMT-3
When you are under pressure, sitting for the lab exam, use "debug ppp
auth" to verify which side challenges. Don't trust your memory or the
Doc CD.
Also, use the online help:
R2(config-if)#ppp authentication chap ?
callback Authenticate remote on callback only
callin Authenticate remote on incoming call only
callout Authenticate remote on outgoing call only
ms-chap Microsoft Challenge Handshake Authentication Protocol
(MS-CHAP)
optional Allow peer to refuse to authenticate
pap Password Authentication Protocol (PAP)
<cr>
Below are debug outputs for when R2 is configured with "ppp auth chap
callback".
R2:
------
*Mar 1 00:57:10.615: BR0:1 CHAP: I CHALLENGE id 3 len 23 from "R5"
*Mar 1 00:57:10.623: BR0:1 CHAP: O RESPONSE id 3 len 23 from "R2"
*Mar 1 00:57:10.647: BR0:1 CHAP: I SUCCESS id 3 len 4
The output above resulted when the connection was initiated from R2. You
can see from the "I CHALLENGE" lines in the "deb ppp auth" output on R2
that that R5 is challenging R2, but not the other way around. When R5
initiates the connection, the same debug commands on R5 verifies that it
is R5 doing the challenging, not R2.
R5:
-----
*Mar 1 00:58:24.683: BR0:1 CHAP: O CHALLENGE id 6 len 23 from "R5"
*Mar 1 00:58:24.707: BR0:1 CHAP: I RESPONSE id 6 len 23 from "R2"
*Mar 1 00:58:24.711: BR0:1 CHAP: O SUCCESS id 6 len 4
The configurations and complete debug is below.
##############################
ppp auth chap callback on R2
##############################
R2#
!
interface BRI0
ip address 172.16.25.2 255.255.255.0
encapsulation ppp
dialer map ip 172.16.25.5 name R5 broadcast 8358661
dialer-group 1
isdn switch-type basic-ni
ppp callback request
ppp authentication chap callback
R5#
!
interface BRI0
ip address 172.16.25.5 255.255.255.0
encapsulation ppp
dialer callback-secure
dialer map ip 172.16.25.2 name R2 class dial1 broadcast 8358662
dialer-group 1
isdn switch-type basic-ni
ppp callback accept
ppp authentication chap
!
map-class dialer dial1
dialer callback-server username
dialer-list 1 protocol ip permit
R2#deb dialer events
Dial on demand events debugging is on
R2#deb ppp auth
PPP authentication debugging is on
R2#sh is ac
------------------------------------------------------------------------
--------
ISDN ACTIVE CALLS
------------------------------------------------------------------------
--------
Call Calling Called Remote Seconds Seconds Seconds
Charges
Type Number Number Name Used Left Idle
Units/Currency
------------------------------------------------------------------------
--------
------------------------------------------------------------------------
--------
R2#p 172.16.25.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.25.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#
*Mar 1 00:57:04.427: BR0 DDR: Dialing cause ip (s=172.16.25.2,
d=172.16.25.5)
*Mar 1 00:57:04.427: BR0 DDR: Attempting to dial 8358661
*Mar 1 00:57:04.567: %LINK-3-UPDOWN: Interface BRI0:1, changed state to
up
*Mar 1 00:57:04.579: BR0:1 PPP: Treating connection as a callout
*Mar 1 00:57:06.611: BR0:1 CHAP: I CHALLENGE id 2 len 23 from "R5"
*Mar 1 00:57:06.619: BR0:1 CHAP: O RESPONSE id 2 len 23 from "R2"
*Mar 1 00:57:06.643: BR0:1 CHAP: I SUCCESS id 2 len 4
*Mar 1 00:57:06.643: BR0:1 DDR: Authentication required for callback
*Mar 1 00:57:06.707: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected
from 8358661 , call lasted 2 seconds
*Mar 1 00:57:06.711: %LINK-3-UPDOWN: Interface BRI0:1, changed state to
down
*Mar 1 00:57:06.719: BR0:1 DDR: disconnecting call
*Mar 1 00:57:08.427: BR0 DDR: Dialing cause ip (s=172.16.25.2,
d=172.16.25.5)
*Mar 1 00:57:08.427: BR0 DDR: Attempting to dial 8358661
*Mar 1 00:57:08.567: %LINK-3-UPDOWN: Interface BRI0:1, changed state to
up
*Mar 1 00:57:08.579: BR0:1 PPP: Treating connection as a callout
*Mar 1 00:57:10.615: BR0:1 CHAP: I CHALLENGE id 3 len 23 from "R5"
*Mar 1 00:57:10.623: BR0:1 CHAP: O RESPONSE id 3 len 23 from "R2"
*Mar 1 00:57:10.647: BR0:1 CHAP: I SUCCESS id 3 len 4
*Mar 1 00:57:10.647: BR0:1 DDR: Authentication required for callback
*Mar 1 00:57:10.719: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected
from 8358661 , call lasted 2 seconds
*Mar 1 00:57:10.727: %LINK-3-UPDOWN: Interface BRI0:1, changed state to
down
*Mar 1 00:57:10.735: BR0:1 DDR: disconnecting call
*Mar 1 00:57:12.427: BR0 DDR: Dialing cause ip (s=172.16.25.2,
d=172.16.25.5)
*Mar 1 00:57:12.427: BR0 DDR: Attempting to dial 8358661
*Mar 1 00:57:12.567: %LINK-3-UPDOWN: Interface BRI0:1, changed state to
up
*Mar 1 00:57:12.583: BR0:1 PPP: Treating connection as a callout
*Mar 1 00:57:14.635: BR0:1 CHAP: I CHALLENGE id 4 len 23 from "R5"
*Mar 1 00:57:14.643: BR0:1 CHAP: O RESPONSE id 4 len 23 from "R2"
*Mar 1 00:57:14.663: BR0:1 CHAP: I SUCCESS id 4 len 4
*Mar 1 00:57:14.667: BR0:1 DDR: Authentication required for callback
*Mar 1 00:57:14.739: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected
from 8358661 , call lasted 2 seconds
*Mar 1 00:57:14.743: %LINK-3-UPDOWN: Interface BRI0:1, changed state to
down
*Mar 1 00:57:14.751: BR0:1 DDR: disconnecting call
R2#
*Mar 1 00:57:21.707: %LINK-3-UPDOWN: Interface BRI0:1, changed state to
up
*Mar 1 00:57:21.719: BR0:1 PPP: Treating connection as a callin
*Mar 1 00:57:21.855: BR0:1 CHAP: I CHALLENGE id 5 len 23 from "R5"
*Mar 1 00:57:21.863: BR0:1 CHAP: O RESPONSE id 5 len 23 from "R2"
*Mar 1 00:57:21.887: BR0:1 CHAP: I SUCCESS id 5 len 4
*Mar 1 00:57:21.907: BR0:1 DDR: dialer protocol up
R2#
*Mar 1 00:57:22.887: %LINEPROTO-5-UPDOWN: Line protocol on Interface
BRI0:1, changed state to up
R2#p 172.16.25.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.25.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms
R2#u all
All possible debugging has been turned off
R2#isdn disc in bri0 all
R2#
*Mar 1 00:58:00.755: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected
from 8358661 R5, call lasted 39 seconds
R2#
*Mar 1 00:58:00.855: %LINK-3-UPDOWN: Interface BRI0:1, changed state to
down
R2#
*Mar 1 00:58:01.855: %LINEPROTO-5-UPDOWN: Line protocol on Interface
BRI0:1, changed state to down
R2#
tsrv#5
[Resuming connection 5 to r2503a ... ]
[OK]
R5#deb dialer events
Dial on demand events debugging is on
R5#deb ppp auth
PPP authentication debugging is on
R5#p 172.16.25.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.25.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/36/36 ms
R5#
*Mar 1 00:58:24.483: BR0 DDR: Dialing cause ip (s=172.16.25.5,
d=172.16.25.2)
*Mar 1 00:58:24.483: BR0 DDR: Attempting to dial 8358662
*Mar 1 00:58:24.623: %LINK-3-UPDOWN: Interface BRI0:1, changed state to
up
*Mar 1 00:58:24.651: BR0:1 PPP: Treating connection as a callout
*Mar 1 00:58:24.683: BR0:1 CHAP: O CHALLENGE id 6 len 23 from "R5"
*Mar 1 00:58:24.707: BR0:1 CHAP: I RESPONSE id 6 len 23 from "R2"
*Mar 1 00:58:24.711: BR0:1 CHAP: O SUCCESS id 6 len 4
*Mar 1 00:58:24.719: BR0:1 DDR: No callback negotiated
*Mar 1 00:58:24.739: BR0:1 DDR: dialer protocol up
*Mar 1 00:58:25.715: %LINEPROTO-5-UPDOWN: Line protocol on Interface
BRI0:1, changed state to up
R5#
*Mar 1 00:58:30.647: %ISDN-6-CONNECT: Interface BRI0:1 is now connected
to 8358662 R2
R5#p 172.16.25.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.25.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/35/36 ms
##############################
Now if I remove the "ppp auth chap callback" from R2 and add it to R5,
without changing the rest of the callback configuration (callback
request and accept and so forth), then the challenge is initiated only
from R2. However, R2 can no longer successfully initiate the call and
create the connection. However, R5 can initiate the call and create a
connection. But the callback function will not work in this
configuration, no matter which side initiates the call.
Off the top of my head, I do not understand the details of why this is
true, but the fact is that "ppp auth chap callback" evidently must be
configured on the same side as "ppp callback" request for the callback
to function. See below.
##############################
ppp auth chap callback on R5
##############################
R2#p 172.16.25.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.25.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#
*Mar 1 01:19:23.783: BR0 DDR: Dialing cause ip (s=172.16.25.2,
d=172.16.25.5)
*Mar 1 01:19:23.787: BR0 DDR: Attempting to dial 8358661
*Mar 1 01:19:23.935: %LINK-3-UPDOWN: Interface BRI0:1, changed state to
up
*Mar 1 01:19:23.947: BR0:1 PPP: Treating connection as a callout
*Mar 1 01:19:25.967: BR0:1 CHAP: O CHALLENGE id 7 len 23 from "R2"
*Mar 1 01:19:25.991: BR0:1 CHAP: I RESPONSE id 7 len 23 from "R5"
*Mar 1 01:19:25.999: BR0:1 CHAP: O SUCCESS id 7 len 4
*Mar 1 01:19:26.003: BR0:1 DDR: Callback negotiated - waiting for
server disconnect
*Mar 1 01:19:26.083: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected
from 8358661 R5, call lasted 2 seconds
*Mar 1 01:19:26.087: %LINK-3-UPDOWN: Interface BRI0:1, changed state to
down
*Mar 1 01:19:26.091: DDR: Callback client for R5 8358661 created
*Mar 1 01:19:26.099: BR0:1 DDR: disconnecting call
R2#
*Mar 1 01:20:01.091: DDR: No callback received from R5 8358661
*Mar 1 01:20:01.091: DDR: Freeing callback to R5 8358661
R2#sh debug
Dial on demand:
Dial on demand events debugging is on
PPP:
PPP authentication debugging is on
R2#
============================
R5#sh is ac
------------------------------------------------------------------------
--------
ISDN ACTIVE CALLS
------------------------------------------------------------------------
--------
Call Calling Called Remote Seconds Seconds Seconds
Charges
Type Number Number Name Used Left Idle
Units/Currency
------------------------------------------------------------------------
--------
------------------------------------------------------------------------
--------
R5#sh deb
Dial on demand:
Dial on demand events debugging is on
PPP:
PPP authentication debugging is on
R5#p 172.16.25.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.25.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 36/39/48 ms
R5#
*Mar 1 01:23:58.211: BR0 DDR: Dialing cause ip (s=172.16.25.5,
d=172.16.25.2)
*Mar 1 01:23:58.215: BR0 DDR: Attempting to dial 8358662
*Mar 1 01:23:58.363: %LINK-3-UPDOWN: Interface BRI0:1, changed state to
up
*Mar 1 01:23:58.391: BR0:1 PPP: Treating connection as a callout
*Mar 1 01:23:58.423: BR0:1 CHAP: I CHALLENGE id 8 len 23 from "R2"
*Mar 1 01:23:58.431: BR0:1 CHAP: O RESPONSE id 8 len 23 from "R5"
*Mar 1 01:23:58.451: BR0:1 CHAP: I SUCCESS id 8 len 4
*Mar 1 01:23:58.455: BR0:1 DDR: No callback negotiated
*Mar 1 01:23:58.479: BR0:1 DDR: dialer protocol up
*Mar 1 01:23:59.455: %LINEPROTO-5-UPDOWN: Line protocol on Interface
BRI0:1, changed state to up
R5#
*Mar 1 01:24:04.387: %ISDN-6-CONNECT: Interface BRI0:1 is now connected
to 8358662 R2
R5#
##############################
HTH,
Jonathan
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
wing_lam@jossynergy.com
Sent: Wednesday, November 05, 2003 10:23 PM
To: Jonathan V Hays
Cc: 'Pun, Alec CL'; ccielab@groupstudy.com
Subject: RE: CHAP callin
Hi Jonathan,
Is the row "callback" mentioning the R5 callback call (or the R2 initial
call)? to me it seems "ppp authentication callback" in R2 means R2 not
challenge callback call.
Sorry that I haven't got an ISDN, do you know who will challenge who if
the
"ppp authentication callback" config in R5 and still R2 initiate call,
R5
is the callback server.
Thx,
BBD
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:09 GMT-3