From: MMoniz (ccie2002@tampabay.rr.com)
Date: Sat May 15 2004 - 13:45:57 GMT-3
You would need to put the callin option on R1. This will tell R1 to only
challenge calls that are treated as callins. The called router.
R1 will still authenticate R2 "if" R1 initiates the call, as this would be
treated as a callout.
In either case R2 would authenticate R1. The documtation links are not very
good on this, as they have the 2 roles reversed.
This is from the doc.
When using the ppp authentication command with the callin keyword, the
Access Server will only authenticate the remote device if the remote device
initiated the call (for example, if the remote device "called in"). In this
case, authentication is specified on incoming (received) calls only.
The diagram and results are not correct in my opinion.
This is what it says, that completely contradicts the above CCO statement.
If Router 1 initiates a call to Router 2, Router 2 would challenge Router 1,
but Router 1 would not challenge Router 2. This occurs because the ppp
authentication chap callin command is configured on Router 1. This is an
example of a unidirectional authentication.
In this example, Router 1 initiates the call. Since Router 1 is configured
with the ppp authentication chap callin command, it does not challenge the
calling party, which is Router 2.
End of Cisco doc statements!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
If R1 initiates the call then "R1" is the calling party, not R2.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Arifur Rahman
Sent: Saturday, May 15, 2004 11:05 AM
To: Ahmed Mustafa
Cc: Carlos G Mendioroz; ccielab@groupstudy.com
Subject: Re: callback or callin - please help
Hi
I understood different. If you leave R1 without callin/callout/callback etc
then it will challenge both ways. But requirement "r1 will authenticate r2
only when r2 call r1". So does not matter what R2 challenge or not. Thank
you for your reply.
- Arif
At 04:13 PM 5/14/2004 -0700, Ahmed Mustafa wrote:
>To me,
>
>The command "PPP Authentication chap callin will go on R2 since it is a
>called router. R2 will initiate a call, R1 will challange it.
>
>Check this link out.
>
>http://www.cisco.com/en/US/tech/tk713/tk507/technologies_configuration_exam
p
>le09186a0080094333.shtml#configuringunidirectionalchapauthentication
>
>
>----- Original Message -----
>From: "Carlos G Mendioroz" <tron@huapi.ba.ar>
>To: "Arifur Rahman" <arahman@cisco.com>
>Cc: <ccielab@groupstudy.com>
>Sent: Friday, May 14, 2004 3:03 AM
>Subject: Re: callback or callin - please help
>
>
> > I would say the first config meets your req.
> > R1 authenticates R2 on callin, but not on callout (note you have a
> > CHALLENGE I but not CHALLENGE O in the second (callback) call.
> >
> > Arifur Rahman wrote:
> > > Hi Group
> > > if it was asked "r1 will authenticate r2 only when r2 call r1", should
I
> > > use callin or callout for r1. Please help. Config and debug below
> > >
> > > r2#sr int s3/0:23
> > > interface Serial3/0:23
> > > ip address 172.16.12.2 255.255.255.0
> > > encapsulation ppp
> > > dialer map ip 172.16.12.1 name r1 broadcast 5678
> > > dialer-group 1
> > > isdn switch-type primary-ni
> > > ppp callback request
> > > ppp authentication chap
> > > ppp multilink
> > > end
> > > r2#
> > >
> > >
> > > r1#sr int s3/0:23
> > > interface Serial3/0:23
> > > ip address 172.16.12.1 255.255.255.0
> > > encapsulation ppp
> > > dialer callback-secure
> > > dialer idle-timeout 20 either
> > > dialer enable-timeout 5
> > > dialer map ip 172.16.12.2 name r2 class CALLB broadcast 1234
> > > dialer-group 1
> > > isdn switch-type primary-ni
> > > isdn protocol-emulate network
> > > isdn T310 30000
> > > ppp callback accept
> > > ppp authentication chap callin
> > > ppp multilink
> > > end
> > >
> > > "debug ppp authen" output of router r1
> > >
> > > r1#
> > > 01:08:16: %LINK-3-UPDOWN: Interface Serial3/0:22, changed state to up
> > > r1#
> > > 01:08:16: Se3/0:22 PPP: Using dialer call direction
> > > 01:08:16: Se3/0:22 PPP: Treating connection as a callin
> > > 01:08:16: Se3/0:22 CHAP: O CHALLENGE id 8 len 23 from "r1"
> > > 01:08:16: Se3/0:22 CHAP: I CHALLENGE id 13 len 23 from "r2"
> > > 01:08:16: Se3/0:22 CHAP: Waiting for peer to authenticate first
> > > 01:08:16: Se3/0:22 CHAP: I RESPONSE id 8 len 23 from "r2"
> > > 01:08:16: Se3/0:22 CHAP: O SUCCESS id 8 len 4
> > > 01:08:16: Se3/0:22 CHAP: Processing saved Challenge, id 13
> > > 01:08:16: Se3/0:22 CHAP: O RESPONSE id 13 len 23 from "r1"
> > > 01:08:16: Se3/0:22 CHAP: I SUCCESS id 13 len 4
> > > 01:08:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial3/0:22,
> > > changed state to up
> > > 01:08:17: %ISDN-6-DISCONNECT: Interface Serial3/0:22 disconnected
from
> > > 1234 r2, call lasted 1 seconds
> > > r1#
> > > 01:08:17: %LINK-3-UPDOWN: Interface Serial3/0:22, changed state to
down
> > > 01:08:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial3/0:22,
> > > changed state to down
> > > r1#
> > > Vi1: Dialer re-enable time must be greater than serial pulse time: 5
> > > 01:08:21: %LINK-3-UPDOWN: Interface Serial3/0:0, changed state to up
> > > 01:08:21: Se3/0:0 PPP: Using dialer call direction
> > > 01:08:21: Se3/0:0 PPP: Treating connection as a callout
> > > 01:08:21: Se3/0:0 CHAP: I CHALLENGE id 9 len 23 from "r2"
> > > 01:08:21: Se3/0:0 CHAP: O RESPONSE id 9 len 23 from "r1"
> > > 01:08:21: Se3/0:0 CHAP: I SUCCESS id 9 len 4
> > > 01:08:21: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to
up
> > > r1#
> > > 01:08:21: Vi1 PPP: Using dialer call direction
> > > 01:08:21: Vi1 PPP: Treating connection as a callout
> > > r1#
> > > 01:08:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/0:0,
> > > changed state to up
> > > 01:08:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> > > Virtual-Access1, changed state to up
> > > r1#
> > > 01:08:27: %ISDN-6-CONNECT: Interface Serial3/0:0 is now connected to
> > > 1234 r2
> > > r1#
> > > 01:08:42: %ISDN-6-DISCONNECT: Interface Serial3/0:0 disconnected from
> > > 1234 r2, call lasted 20 seconds
> > > r1#
> > > 01:08:42: %LINK-3-UPDOWN: Interface Serial3/0:0, changed state to down
> > > r1#
> > > 01:08:43: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/0:0,
> > > changed state to down
> > > 01:08:43: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> > > Virtual-Access1, changed state to down
> > > r1#
> > > r1#
> > > r1#
> > > r1#
> > > r1#
> > > r1#ct
> > > Enter configuration commands, one per line. End with CNTL/Z.
> > > r1(config)#int s3/0:23
> > > r1(config-if)# ppp authentication chap callb
> > > r1(config-if)#^Z
> > > r1#
> > > 01:09:00: %SYS-5-CONFIG_I: Configured from console by console
> > > r1#
> > > r1#
> > > r1#sr int s3/0:23
> > > Building configuration...
> > >
> > > Current configuration : 392 bytes
> > > !
> > > interface Serial3/0:23
> > > ip address 172.16.12.1 255.255.255.0
> > > encapsulation ppp
> > > dialer callback-secure
> > > dialer idle-timeout 20 either
> > > dialer enable-timeout 5
> > > dialer map ip 172.16.12.2 name r2 class CALLB broadcast 1234
> > > dialer-group 1
> > > isdn switch-type primary-ni
> > > isdn protocol-emulate network
> > > isdn T310 30000
> > > ppp callback accept
> > > ppp authentication chap callback
> > > ppp multilink
> > > end
> > >
> > > r1#
> > > 01:09:11: %LINK-3-UPDOWN: Interface Serial3/0:22, changed state to up
> > > r1#
> > > 01:09:11: Se3/0:22 PPP: Using dialer call direction
> > > 01:09:11: Se3/0:22 PPP: Treating connection as a callin
> > > 01:09:11: Se3/0:22 CHAP: I CHALLENGE id 14 len 23 from "r2"
> > > 01:09:11: Se3/0:22 CHAP: O RESPONSE id 14 len 23 from "r1"
> > > 01:09:11: Se3/0:22 CHAP: I SUCCESS id 14 len 4
> > > 01:09:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial3/0:22,
> > > changed state to up
> > > 01:09:12: %ISDN-6-CONNECT: Interface Serial3/0:22 is now connected to
>r2
> > > 01:09:12: %ISDN-6-DISCONNECT: Interface Serial3/0:22 disconnected
from
> > > r2, call lasted 1 seconds
> > > r1#
> > > 01:09:12: %LINK-3-UPDOWN: Interface Serial3/0:22, changed state to
down
> > > 01:09:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial3/0:22,
> > > changed state to down
> > > r1#
> > > 01:09:16: %LINK-3-UPDOWN: Interface Serial3/0:0, changed state to up
> > > r1#
> > > Vi1: Dialer re-enable time must be greater than serial pulse time: 5
> > > 01:09:16: Se3/0:0 PPP: Using dialer call direction
> > > 01:09:16: Se3/0:0 PPP: Treating connection as a callout
> > > 01:09:16: Se3/0:0 CHAP: O CHALLENGE id 2 len 23 from "r1"
> > > 01:09:16: Se3/0:0 CHAP: I CHALLENGE id 10 len 23 from "r2"
> > > 01:09:16: Se3/0:0 CHAP: O RESPONSE id 10 len 23 from "r1"
> > > 01:09:16: Se3/0:0 CHAP: I SUCCESS id 10 len 4
> > > 01:09:16: Se3/0:0 CHAP: I RESPONSE id 2 len 23 from "r2"
> > > 01:09:16: Se3/0:0 CHAP: O SUCCESS id 2 len 4
> > > 01:09:16: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to
up
> > > r1#
> > > 01:09:16: Vi1 PPP: Using dialer call direction
> > > 01:09:16: Vi1 PPP: Treating connection as a callout
> > > r1#
> > > 01:09:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/0:0,
> > > changed state to up
> > > 01:09:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> > > Virtual-Access1, changed state to up
> > > r1#
> > > 01:09:22: %ISDN-6-CONNECT: Interface Serial3/0:0 is now connected to
> > > 1234 r2
> > > r1#
> > > 01:09:37: %ISDN-6-DISCONNECT: Interface Serial3/0:0 disconnected from
> > > 1234 r2, call lasted 20 seconds
> > >
> > > Appreciate your help. thank you - Arif
> > >
> > >
This archive was generated by hypermail 2.1.4 : Wed Jun 02 2004 - 11:12:12 GMT-3