RE: chap required on one end only?

From: David Hiers (David_Hiers@adp.com)
Date: Mon Apr 05 2004 - 12:23:02 GMT-3

• Next message: Cristian Henry H: "Re: RP to Group Mapping"
• Previous message: Adel Abouchaev: "PIX 515E x2 failover, Cat 6500 question"
• Maybe in reply to: Serran: "chap required on one end only?"
• Next in thread: David Hurtado: "RE: chap required on one end only?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Right you are.

The "ppp authentication chap" command should really be named something like "ppp challenge chap", as a router will always attempt to respond to challenges, but will only challenge with this command configured.

In general, Cisco does a very poor job of using the work "authenticate". It really describes to the entire process of challenging another entity to prove their identification (both challenge and response), but Cisco uses it to describe the only act of challenging.

David

********************************************
David Hiers
CCIE, CISSP
ADP Dealer Services
2525 SW First Avenue
Portland, OR 97201

v: 503 652 4740

email: david_hiers@adp.com
********************************************

-----Original Message-----
From: Serran [mailto:groupstudy@swiftdsl.com.au]
Sent: Monday, April 05, 2004 12:04 AM
To: Ccielab@Groupstudy. Com
Subject: chap required on one end only?

Interesting..

CHAP can be configured on one end ONLY (called or calling), and that will
not prevent a link from passing traffic through - the link will come up!

here is the r2 as the calling router configured for chap only:

R2 (calling router)
username R5 password blah
ppp authentication chap

R5 (called router)
username R2 password blah

The only visible difference in debugs show this line:
debug on calling router -> PPP: Phase is Authenticating, by this end (chap
only on this)
debug on calling router -> PPP: Phase is Authenticating, by both (chap on
both rtr's)

Likewise, if the calling router is not configured with chap --> PPP: Phase
is Authenticating, by peer

If the local user/pass combination was not supplied on both routers, this
doesn't work of course.

It shows that the router with no chap configured can do the hash functions
and respond to the challenges without chap configured explicitly.

In regards to a lab task requirement, if it is worded such that "configure
chap" or "do not want the password traversing the link", etc.. this raises
some questions as to if one end or both ends of the link are to be
configured for chap.

For those in the security area or working for an enterprise sp.. would there
be any legal issues if chap is only configured on one side?? As the
assumption in my mind would be to configure chap on both ends of the link.

any thoughts on this??

cheers
Serran

• Next message: Cristian Henry H: "Re: RP to Group Mapping"
• Previous message: Adel Abouchaev: "PIX 515E x2 failover, Cat 6500 question"
• Maybe in reply to: Serran: "chap required on one end only?"
• Next in thread: David Hurtado: "RE: chap required on one end only?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:42 GMT-3