RE: Different CHAP passwords for bidirectional authentication

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Wed May 04 2005 - 00:10:27 GMT-3

• Next message: Brian Dennis: "RE: Neighbor Statement on Both Sides"
• Previous message: Frank Center: "Re: IPv6 Addressing"
• Maybe in reply to: Bob Nelson: "Different CHAP passwords for bidirectional authentication"
• Next in thread: Jim: "Re: Different CHAP passwords for bidirectional authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Bob,
        This will not work with CHAP as you see. The "ppp chap password
bob" will never be used since r2 finds the username r5 in its global
configuration. The "ppp chap password" command is used as a default
password IF the router does not find a username command in the global
configuration for the device that is challenging it. In this case it
finds r5. If r5 challenged with a different name, then the interface
level password would be used. But that would in turn break the
authentication in the other direction.

        So you are kind of in a catch-22 situation. The reason is that
CHAP is using the same username and password to authentication the
remote router as it is to be authenticated by the remote router.

        If you want to have different passwords, use PAP on one or both
sides.

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)

bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Bob Nelson
Sent: Tuesday, May 03, 2005 4:57 PM
To: ccielab@groupstudy.com
Subject: Different CHAP passwords for bidirectional authentication

Hello Everyone:

I am trying to configure bidirectional CHAP authentication between two
routers.
It works using the standard configs on both sides
r2
username r5 password cisco
!
int bri0/0
ppp authentication chap

r5
username r2 password cisco
!
int bri0/0
ppp authentication chap

What I was trying to do is use a separate password for r2-to-r5
authentication and a different one for r5-to-r2
by doing this.
r2
username r5 password cisco
!
int bri0/0
ppp authentication chap
ppp chap password bob

r5
username r2 password bob
!
int bri0/0
ppp authentication chap

No luck!!

I even tried using the ppp chap password cisco on the r5 side
specifying cisco as the password, but no luck either.

Should this work or have I missed something.
I would like to see if it is possible to use a separate
username/password
combination
for each side of the authentication.

Thanks
Bob

• Next message: Brian Dennis: "RE: Neighbor Statement on Both Sides"
• Previous message: Frank Center: "Re: IPv6 Addressing"
• Maybe in reply to: Bob Nelson: "Different CHAP passwords for bidirectional authentication"
• Next in thread: Jim: "Re: Different CHAP passwords for bidirectional authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:56 GMT-3