RE: Different CHAP passwords for bidirectional authentication

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Wed May 04 2005 - 10:06:14 GMT-3

• Next message: gladston@br.ibm.com: "Identify ARP"
• Previous message: ccie2be: "RE: Multicast DR..."
• Maybe in reply to: Bob Nelson: "Different CHAP passwords for bidirectional authentication"
• Next in thread: bi.s: "Re: Different CHAP passwords for bidirectional authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

One of the username commands on each router is never used so this means
you are still using the same password on both sides:

hostname R1
!
username r1 password 0 PASS1 <-- NEVER USED
username r2 password 0 PASS2
!
interface BRI0/0
 ppp chap hostname r1
!

hostname R2
!
username r1 password 0 PASS2
username r2 password 0 PASS1 <-- NEVER USED
!
interface BRI0/0
 ip address 172.16.12.2 255.255.255.0
 ppp chap hostname r2

Just think about how CHAP works and you'll see that the username with
the router's own name is never used in your configuration.

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)

bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

-----Original Message-----
From: bi.s [mailto:bi.s@gmx.net]
Sent: Wednesday, May 04, 2005 1:10 AM
To: Brian Dennis
Cc: 'ccielab@groupstudy.com'
Subject: Re: Different CHAP passwords for bidirectional authentication

Brian Dennis wrote:
> Bob,
> This will not work with CHAP as you see. The "ppp chap password
> bob" will never be used since r2 finds the username r5 in its global
> configuration. The "ppp chap password" command is used as a default
> password IF the router does not find a username command in the global
> configuration for the device that is challenging it. In this case it
> finds r5. If r5 challenged with a different name, then the interface
> level password would be used. But that would in turn break the
> authentication in the other direction.
>
> So you are kind of in a catch-22 situation. The reason is that
> CHAP is using the same username and password to authentication the
> remote router as it is to be authenticated by the remote router.
>
> If you want to have different passwords, use PAP on one or both
> sides.
>

hi brian,

shouldn't this work?

hostname R1
!
username r1 password 0 PASS1
username r2 password 0 PASS2
!
interface BRI0/0
 ip address 172.16.12.1 255.255.255.0
 encapsulation ppp
 dialer map ip 172.16.12.2 name r2 broadcast 5552002
 dialer-group 1
 ppp authentication chap
 ppp chap hostname r1
!

hostname R2
!
username r1 password 0 PASS2
username r2 password 0 PASS1
!
interface BRI0/0
 ip address 172.16.12.2 255.255.255.0
 encapsulation ppp
 dialer map ip 172.16.12.1 name r1 broadcast 5552000
 dialer-group 1
 ppp authentication chap
 ppp chap hostname r2
!

cya
-/b

• Next message: gladston@br.ibm.com: "Identify ARP"
• Previous message: ccie2be: "RE: Multicast DR..."
• Maybe in reply to: Bob Nelson: "Different CHAP passwords for bidirectional authentication"
• Next in thread: bi.s: "Re: Different CHAP passwords for bidirectional authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:56 GMT-3