From: David Hurtado (dei2viccie@hotmail.com)
Date: Mon Apr 05 2004 - 08:52:57 GMT-3
In CHAP and PAP authentication there are 2 roles: Authenticator and Peer
1.- Authenticator.
Disabled by default
To enable it: "ppp authentication {chap|pap}"
2.-Peer
Enabled by default
To disable it: "ppp {chap|pap} refuse"
So by default all the routers has the peer role enabled for PAP and CHAP.
The authenticator requests for authentication and the peer respondes to it.
So if you want one way authentication, for example with CHAP, configure the
side that wants to authenticate with the authenticator role:
ppp authentication chap
username X password X
and leave the other side with the default configuration, being a peer. You
only have to introduce:
username X password X
To make the peer able to answer the challenge correctly.
In case that you don't want the router to be authenticated, you have to
disable the peer role using:
ppp {chap|pap} refuse"
I hope this will help you. If i'm wrong in some of my points please correct
me.
>From: "Serran" <groupstudy@swiftdsl.com.au>
>Reply-To: "Serran" <groupstudy@swiftdsl.com.au>
>To: "Ccielab@Groupstudy. Com" <ccielab@groupstudy.com>
>Subject: RE: chap required on one end only?
>Date: Mon, 5 Apr 2004 21:11:27 +1000
>
>someone pointed out to me that it is another way of configuring one way
>authentication without the callin and callout keywords (depending on where
>the chap configuration is placed).
>
>
>cheers
>Serran
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Serran
>Sent: Monday, 5 April 2004 5:04 PM
>To: Ccielab@Groupstudy. Com
>Subject: chap required on one end only?
>
>
>Interesting..
>
>CHAP can be configured on one end ONLY (called or calling), and that will
>not prevent a link from passing traffic through - the link will come up!
>
>here is the r2 as the calling router configured for chap only:
>
>R2 (calling router)
>username R5 password blah
>ppp authentication chap
>
>
>R5 (called router)
>username R2 password blah
>
>
>The only visible difference in debugs show this line:
>debug on calling router -> PPP: Phase is Authenticating, by this end (chap
>only on this)
>debug on calling router -> PPP: Phase is Authenticating, by both (chap on
>both rtr's)
>
>
>Likewise, if the calling router is not configured with chap --> PPP: Phase
>is Authenticating, by peer
>
>
>If the local user/pass combination was not supplied on both routers, this
>doesn't work of course.
>
>
>It shows that the router with no chap configured can do the hash functions
>and respond to the challenges without chap configured explicitly.
>
>
>In regards to a lab task requirement, if it is worded such that "configure
>chap" or "do not want the password traversing the link", etc.. this raises
>some questions as to if one end or both ends of the link are to be
>configured for chap.
>
>For those in the security area or working for an enterprise sp.. would
>there
>be any legal issues if chap is only configured on one side?? As the
>assumption in my mind would be to configure chap on both ends of the link.
>
>
>any thoughts on this??
>
>
>
>cheers
>Serran
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:42 GMT-3