From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Thu Aug 19 2004 - 02:19:00 GMT-3
Here is what I have in the latest version of lab 15 and the solution.
I'll post this to our forum also.
<Question>
4.7. Configure R4 to authenticate all calls using CHAP
authentication. R4 should challenge remote devices with the username of
ROUTER4.
4.8. R5 should respond to a CHAP challenge from R4 using the hostname
ROUTER5 and a hash the represents the password CISCO.
4.9. If any other device challenges R5 it should respond with the
hostname of ROUTER5 and a hash the represents the password UNKNOWN.
</Question>
<Solution>
R4:
username ROUTER5 password CISCO
!
interface BRI0/0
dialer map ip 130.1.45.5 name ROUTER5 broadcast 5272015
ppp authentication chap
ppp chap hostname ROUTER4
R5:
username ROUTER4 password CISCO
!
interface BRI0/0
dialer map ip 130.1.45.4 name ROUTER4 broadcast 5272014
ppp chap hostname ROUTER5
ppp chap password UNKNOWN
</Solution>
<Verification Task 4.7-4.8>
Rack1R4#ping 130.1.45.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 130.1.45.5, timeout is 2 seconds:
Rack1AS>5
[Resuming connection 2 to r5 ... ]
Rack1R5#
%LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
BR0/0:1 PPP: Using dialer call direction
BR0/0:1 PPP: Treating connection as a callin
BR0/0:1 PPP: Phase is ESTABLISHING, Passive Open
BR0/0:1 LCP: State is Listen
BR0/0:1 LCP: I CONFREQ [Listen] id 2 len 15
BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
BR0/0:1 LCP: MagicNumber 0x5ACFD26A (0x05065ACFD26A)
BR0/0:1 PPP: No remote authentication for call-in
BR0/0:1 LCP: O CONFREQ [Listen] id 2 len 10
BR0/0:1 LCP: MagicNumber 0x06E0FB02 (0x050606E0FB02)
BR0/0:1 LCP: O CONFACK [Listen] id 2 len 15
BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
BR0/0:1 LCP: MagicNumber 0x5ACFD26A (0x05065ACFD26A)
BR0/0:1 LCP: I CONFACK [ACKsent] id 2 len 10
BR0/0:1 LCP: MagicNumber 0x06E0FB02 (0x050606E0FB02)
BR0/0:1 LCP: State is Open
BR0/0:1 PPP: Phase is AUTHENTICATING, by the peer
BR0/0:1 CHAP: I CHALLENGE id 2 len 28 from "ROUTER4"
BR0/0:1 CHAP: Using hostname from interface CHAP
BR0/0:1 CHAP: Using password from AAA
BR0/0:1 CHAP: O RESPONSE id 2 len 28 from "ROUTER5"
BR0/0:1 CHAP: I SUCCESS id 2 len 4
BR0/0:1 PPP: Phase is FORWARDING, Attempting Forward
BR0/0:1 PPP: Queue IPCP code[1] id[1]
BR0/0:1 PPP: Queue CDPCP code[1] id[1]
BR0/0:1 PPP: Phase is ESTABLISHING, Finish LCP
BR0/0:1 PPP: Phase is UP
BR0/0:1 IPCP: O CONFREQ [Closed] id 1 len 10
BR0/0:1 IPCP: Address 130.1.45.5 (0x030682012D05)
BR0/0:1 CDPCP: O CONFREQ [Closed] id 1 len 4
BR0/0:1 PPP: Process pending packets
BR0/0:1 IPCP: Redirect packet to BR0/0:1
BR0/0:1 IPCP: I CONFREQ [REQsent] id 1 len 10
BR0/0:1 IPCP: Address 130.1.45.4 (0x030682012D04)
BR0/0:1 IPCP: O CONFACK [REQsent] id 1 len 10
BR0/0:1 IPCP: Address 130.1.45.4 (0x030682012D04)
BR0/0:1 CDPCP: Redirect packet to BR0/0:1
BR0/0:1 CDPCP: I CONFREQ [REQsent] id 1 len 4
BR0/0:1 CDPCP: O CONFACK [REQsent] id 1 len 4
BR0/0:1 IPCP: I CONFACK [ACKsent] id 1 len 10
BR0/0:1 IPCP: Address 130.1.45.5 (0x030682012D05)
BR0/0:1 IPCP: State is Open
BR0/0:1 CDPCP: I CONFACK [ACKsent] id 1 len 4
BR0/0:1 CDPCP: State is Open
BR0/0 IPCP: Install route to 130.1.45.4
BR0/0:1 IPCP: Add link info for cef entry 130.1.45.4
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, changed state
to up
Rack1R5#
%ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 5272014 ROUTER4
Rack1R5#ping 130.1.45.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 130.1.45.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/35/36 ms
Rack1R5#
</Verification Task 4.7-4.8>
<Verification Task 4.9>
Now, the CHAP hostname on R4 will be changed to TEST in order to see if
R5 responds with the password of UNKNOWN.
Rack1R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R4(config)#username ROUTER5 password UNKNOWN
Rack1R4(config)#interface BRI0/0
Rack1R4(config-if)#ppp chap hostname TEST
Rack1R4(config-if)#^Z
Rack1R4#ping 130.1.45.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 130.1.45.5, timeout is 2 seconds:
Rack1AS>5
Rack1R5#
%LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
BR0/0:1 PPP: Using dialer call direction
BR0/0:1 PPP: Treating connection as a callin
BR0/0:1 PPP: Phase is ESTABLISHING, Passive Open
BR0/0:1 LCP: State is Listen
BR0/0:1 LCP: I CONFREQ [Listen] id 3 len 15
BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
BR0/0:1 LCP: MagicNumber 0x5AD45B8B (0x05065AD45B8B)
BR0/0:1 PPP: No remote authentication for call-in
BR0/0:1 LCP: O CONFREQ [Listen] id 3 len 10
BR0/0:1 LCP: MagicNumber 0x06E58423 (0x050606E58423)
BR0/0:1 LCP: O CONFACK [Listen] id 3 len 15
BR0/0:1 LCP: AuthProto CHAP (0x0305C22305)
BR0/0:1 LCP: MagicNumber 0x5AD45B8B (0x05065AD45B8B)
BR0/0:1 LCP: I CONFACK [ACKsent] id 3 len 10
BR0/0:1 LCP: MagicNumber 0x06E58423 (0x050606E58423)
BR0/0:1 LCP: State is Open
BR0/0:1 PPP: Phase is AUTHENTICATING, by the peer
BR0/0:1 CHAP: I CHALLENGE id 3 len 25 from "TEST"
BR0/0:1 CHAP: Using hostname from interface CHAP
BR0/0:1 CHAP: Using password from interface CHAP
BR0/0:1 CHAP: O RESPONSE id 3 len 28 from "ROUTER5"
BR0/0:1 CHAP: I SUCCESS id 3 len 4
BR0/0:1 PPP: Phase is FORWARDING, Attempting Forward
BR0/0:1 PPP: Queue IPCP code[1] id[1]
BR0/0:1 PPP: Queue CDPCP code[1] id[1]
BR0/0:1 PPP: Phase is ESTABLISHING, Finish LCP
BR0/0:1 PPP: Phase is UP
BR0/0:1 IPCP: O CONFREQ [Closed] id 1 len 10
BR0/0:1 IPCP: Address 130.1.45.5 (0x030682012D05)
BR0/0:1 CDPCP: O CONFREQ [Closed] id 1 len 4
BR0/0:1 PPP: Process pending packets
BR0/0:1 IPCP: Redirect packet to BR0/0:1
BR0/0:1 IPCP: I CONFREQ [REQsent] id 1 len 10
BR0/0:1 IPCP: Address 130.1.45.4 (0x030682012D04)
BR0/0:1 IPCP: O CONFACK [REQsent] id 1 len 10
BR0/0:1 IPCP: Address 130.1.45.4 (0x030682012D04)
BR0/0:1 CDPCP: Redirect packet to BR0/0:1
BR0/0:1 CDPCP: I CONFREQ [REQsent] id 1 len 4
BR0/0:1 CDPCP: O CONFACK [REQsent] id 1 len 4
BR0/0:1 IPCP: I CONFACK [ACKsent] id 1 len 10
BR0/0:1 IPCP: Address 130.1.45.5 (0x030682012D05)
BR0/0:1 IPCP: State is Open
BR0/0:1 CDPCP: I CONFACK [ACKsent] id 1 len 4
BR0/0:1 CDPCP: State is Open
BR0/0 IPCP: Install route to 130.1.45.4
BR0/0:1 IPCP: Add link info for cef entry 130.1.45.4
%LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, changed state
to up
%ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 5272014 ROUTER4
Rack1R5#ping 130.1.45.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 130.1.45.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/33/36 ms
Rack1R5#
We can see by the output of the debug that R5 used the interface
password.
"BR0/0:1 CHAP: Using password from interface CHAP"
</Verification Task 4.9>
As a side note let me know if you find the verification of the task
useful.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Wednesday, August 18, 2004 7:49 PM
To: Group Study; Brian McGahan
Subject: IE lab 15 task 4.7 - 4.9
Hey Brian,
I'm almost positive that the Solution Guide for the above task is wrong
or
incomplete.
The task requires the use of the password CISCO but no where in the
solution
guide is that password configured.
I checked the forum and there seems to be a lively discussion about this
problem.
But, I'd like to hear from you or the other brian what the definative
answer
is.
What throws me is the specific requirement of task 4.9 - If any other
device
(besides R4) challenges R5 it should respond with a hash that represents
the
password UNKNOWN.
In other words, when R4 challenges R5, it should respond one way, but
when a
different device challenges R5, it should respond in a different way.
I think this requirement crys out for an explanation form the gurus.
Thanks, Tim
This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:46 GMT-3