From: Serran (groupstudy@swiftdsl.com.au)
Date: Mon Apr 05 2004 - 04:04:02 GMT-3
Interesting..
CHAP can be configured on one end ONLY (called or calling), and that will
not prevent a link from passing traffic through - the link will come up!
here is the r2 as the calling router configured for chap only:
R2 (calling router)
username R5 password blah
ppp authentication chap
R5 (called router)
username R2 password blah
The only visible difference in debugs show this line:
debug on calling router -> PPP: Phase is Authenticating, by this end (chap
only on this)
debug on calling router -> PPP: Phase is Authenticating, by both (chap on
both rtr's)
Likewise, if the calling router is not configured with chap --> PPP: Phase
is Authenticating, by peer
If the local user/pass combination was not supplied on both routers, this
doesn't work of course.
It shows that the router with no chap configured can do the hash functions
and respond to the challenges without chap configured explicitly.
In regards to a lab task requirement, if it is worded such that "configure
chap" or "do not want the password traversing the link", etc.. this raises
some questions as to if one end or both ends of the link are to be
configured for chap.
For those in the security area or working for an enterprise sp.. would there
be any legal issues if chap is only configured on one side?? As the
assumption in my mind would be to configure chap on both ends of the link.
any thoughts on this??
cheers
Serran
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:42 GMT-3