Re: Different CHAP passwords for bidirectional authentication

From: Jim (quangnn@hptvietnam.com.vn)
Date: Wed May 04 2005 - 07:02:22 GMT-3

• Next message: simon hart: "RE: IPv6 Addressing"
• Previous message: ccie2be: "RE: Multicast DR..."
• Maybe in reply to: Bob Nelson: "Different CHAP passwords for bidirectional authentication"
• Next in thread: Brian Dennis: "RE: Different CHAP passwords for bidirectional authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I bet that it works but look at your topic. Did you write "Different CHAP
passwords for bidirectional authentication"

On host R2 ( R1 authenticate R2)

R2: <-- hostname r1 + challenge
R2: looks up local database and find the password PASS2 (username r1
password 0 PASS2)
R2: md5 ( PASS2 + challenge) -> hash2
R1: <-- r2 + hash2
R1: looks up local database and find the password PASS2 (username r2
password 0 PASS2)
R1: md5 ( PASS2 + its challenge) -> hash1
R1: hash1 = hash2 --> authentication's successful.

On host R1 ( R2 authenticate R1)

R1: <-- hostname r2 + challenge
R1: looks up local database and find the password PASS2 (username r2
password 0 PASS2)
R1: md5 ( PASS2 + challenge) -> hash1
R2: <-- r1 + hash1
R2: looks up local database and find the password PASS2 (username r1
password 0 PASS2)
R2: md5 ( PASS2 + its challenge) -> hash2
R2: hash1 = hash2 --> authentication's successful.

Jim

----- Original Message -----
From: "bi.s" <bi.s@gmx.net>
To: "Brian Dennis" <bdennis@internetworkexpert.com>
Cc: <ccielab@groupstudy.com>
Sent: Wednesday, May 04, 2005 3:10 PM
Subject: Re: Different CHAP passwords for bidirectional authentication

> Brian Dennis wrote:
>> Bob,
>> This will not work with CHAP as you see. The "ppp chap password
>> bob" will never be used since r2 finds the username r5 in its global
>> configuration. The "ppp chap password" command is used as a default
>> password IF the router does not find a username command in the global
>> configuration for the device that is challenging it. In this case it
>> finds r5. If r5 challenged with a different name, then the interface
>> level password would be used. But that would in turn break the
>> authentication in the other direction.
>>
>> So you are kind of in a catch-22 situation. The reason is that
>> CHAP is using the same username and password to authentication the
>> remote router as it is to be authenticated by the remote router.
>>
>> If you want to have different passwords, use PAP on one or both
>> sides.
>>
>
> hi brian,
>
> shouldn't this work?
>
> hostname R1
> !
> username r1 password 0 PASS1
> username r2 password 0 PASS2
> !
> interface BRI0/0
> ip address 172.16.12.1 255.255.255.0
> encapsulation ppp
> dialer map ip 172.16.12.2 name r2 broadcast 5552002
> dialer-group 1
> ppp authentication chap
> ppp chap hostname r1
> !
>
> hostname R2
> !
> username r1 password 0 PASS2
> username r2 password 0 PASS1
> !
> interface BRI0/0
> ip address 172.16.12.2 255.255.255.0
> encapsulation ppp
> dialer map ip 172.16.12.1 name r1 broadcast 5552000
> dialer-group 1
> ppp authentication chap
> ppp chap hostname r2
> !
>
> cya
> -/b
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: simon hart: "RE: IPv6 Addressing"
• Previous message: ccie2be: "RE: Multicast DR..."
• Maybe in reply to: Bob Nelson: "Different CHAP passwords for bidirectional authentication"
• Next in thread: Brian Dennis: "RE: Different CHAP passwords for bidirectional authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:56 GMT-3