From: Sean C (Upp_and_Upp@hotmail.com)
Date: Wed May 11 2005 - 15:28:55 GMT-3
Cool, think I got it. The called router waits until the calling router
initiates authentication first. The called router thinks 'Since someone
called me, let them tell me who they are first.' Got it.
So, if for no particular reason, I find myself in Raleigh sometime soon, and
I'm tasked with configuring the called router to allow itself to be
authenticated as soon as a call is received, just do a 'no ppp chat wait' on
the rcving router.
Most appreciated! Sean
----- Original Message -----
From: "marvin greenlee" <marvin@ccbootcamp.com>
To: "'ccie2be'" <ccie2be@nyc.rr.com>; "Sean C" <Upp_and_Upp@hotmail.com>;
"Group Study" <ccielab@groupstudy.com>
Sent: Wednesday, May 11, 2005 12:46 PM
Subject: RE: Ways of Callback PPP/ISDN/Dialer [bayes]
> Note the line "Waiting for peer to authenticate first".
>
> The called router waits.
>
>
>
> *****
>
> R5 Calling R6
> R5 - ppp chap wait
> R6 - PPP chap wait
>
> R6#
> *Mar 11 06:37:34.856: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
> up *Mar 11 06:37:34.860: BR0/0:1 PPP: Using dialer call direction *Mar 11
> 06:37:34.860: BR0/0:1 PPP: Treating connection as a callin *Mar 11
> 06:37:34.972: BR0/0:1 CHAP: O CHALLENGE id 8 len 23 from "r6" *Mar 11
> 06:37:34.976: BR0/0:1 CHAP: I CHALLENGE id 8 len 23 from "r5" *Mar 11
> 06:37:34.980: BR0/0:1 CHAP: Waiting for peer to authenticate first *Mar 11
> 06:37:34.988: BR0/0:1 CHAP: I RESPONSE id 8 len 23 from "r5" *Mar 11
> 06:37:34.988: BR0/0:1 CHAP: O SUCCESS id 8 len 4 *Mar 11 06:37:34.992:
> BR0/0:1 CHAP: Processing saved Challenge, id 8 *Mar 11 06:37:34.992:
> BR0/0:1
> CHAP: O RESPONSE id 8 len 23 from "r6" *Mar 11 06:37:35.004: BR0/0:1 CHAP:
> I
> SUCCESS id 8 len 4 *Mar 11 06:37:36.006: %LINEPROTO-5-UPDOWN: Line
> protocol
> on Interface BRI0/0:1,changed state to up
>
> r5#
> *Mar 11 06:37:39.860: BR0/0:1 PPP: Using dialer call direction *Mar 11
> 06:37:39.860: BR0/0:1 PPP: Treating connection as a callout *Mar 11
> 06:37:39.872: BR0/0:1 CHAP: O CHALLENGE id 8 len 23 from "r5" *Mar 11
> 06:37:39.880: BR0/0:1 CHAP: I CHALLENGE id 8 len 23 from "r6" *Mar 11
> 06:37:39.884: BR0/0:1 CHAP: O RESPONSE id 8 len 23 from "r5" *Mar 11
> 06:37:39.896: BR0/0:1 CHAP: I SUCCESS id 8 len 4 *Mar 11 06:37:39.900:
> BR0/0:1 CHAP: I RESPONSE id 8 len 23 from "r6" *Mar 11 06:37:39.904:
> BR0/0:1
> CHAP: O SUCCESS id 8 len 4 *Mar 11 06:37:40.906: %LINEPROTO-5-UPDOWN: Line
> protocol on Interface BRI0/0:1,changed state to up
>
> *****
> R6 calling R5
> r5 - ppp chap wait
> r6 - ppp chap wait
>
>
> R6#
> *Mar 11 06:39:14.944: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
> up *Mar 11 06:39:14.944: %DIALER-6-BIND: Interface BR0/0:1 bound to
> profile
> Di1 *Mar 11 06:39:14.948: BR0/0:1 PPP: Using dialer call direction *Mar 11
> 06:39:14.948: BR0/0:1 PPP: Treating connection as a callout *Mar 11
> 06:39:14.964: BR0/0:1 CHAP: O CHALLENGE id 9 len 23 from "r6" *Mar 11
> 06:39:14.972: BR0/0:1 CHAP: I CHALLENGE id 9 len 23 from "r5" *Mar 11
> 06:39:14.972: BR0/0:1 CHAP: O RESPONSE id 9 len 23 from "r6" *Mar 11
> 06:39:14.984: BR0/0:1 CHAP: I SUCCESS id 9 len 4 *Mar 11 06:39:14.992:
> BR0/0:1 CHAP: I RESPONSE id 9 len 23 from "r5" *Mar 11 06:39:14.992:
> BR0/0:1
> CHAP: O SUCCESS id 9 len 4.!!!! Success rate is 80 percent (4/5),
> round-trip
> min/avg/max = 28/28/28 ms r6# *Mar 11 06:39:15.994: %LINEPROTO-5-UPDOWN:
> Line protocol on Interface BRI0/0:1,changed state to up *Mar 11
> 06:39:20.950: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 49
> 30624 r5
>
> R5#
> *Mar 11 06:39:19.543: BR0/0:1 PPP: Using dialer call direction *Mar 11
> 06:39:19.543: BR0/0:1 PPP: Treating connection as a callin *Mar 11
> 06:39:19.864: BR0/0:1 CHAP: O CHALLENGE id 9 len 23 from "r5" *Mar 11
> 06:39:19.868: BR0/0:1 CHAP: I CHALLENGE id 9 len 23 from "r6" *Mar 11
> 06:39:19.868: BR0/0:1 CHAP: Waiting for peer to authenticate first *Mar 11
> 06:39:19.876: BR0/0:1 CHAP: I RESPONSE id 9 len 23 from "r6" *Mar 11
> 06:39:19.880: BR0/0:1 CHAP: O SUCCESS id 9 len 4 *Mar 11 06:39:19.880:
> BR0/0:1 CHAP: Processing saved Challenge, id 9 *Mar 11 06:39:19.884:
> BR0/0:1
> CHAP: O RESPONSE id 9 len 23 from "r5" *Mar 11 06:39:19.896: BR0/0:1 CHAP:
> I
> SUCCESS id 9 len 4 *Mar 11 06:39:20.898: %LINEPROTO-5-UPDOWN: Line
> protocol
> on Interface BRI0/0:1,changed state to up
>
>
> Marvin Greenlee, CCIE#12237, CCSI# 30483
> Network Learning Inc
> marvin@ccbootcamp.com
> www.ccbootcamp.com (Cisco Training)
>
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Wednesday, May 11, 2005 7:59 AM
> To: Sean C; Group Study
> Cc: marvin greenlee
> Subject: RE: Ways of Callback PPP/ISDN/Dialer [bayes]
>
> Sean,
>
> This IS in the archives. I know because I had this conversation with
> Marvin
> Greenlee about 2 months ago.
>
> I believe the Called Router Waits but if you have access to 2 rtr's with
> isdn you can see for yourself by using debug ppp authen.
>
> HTH, Tim
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Sean
> C
> Sent: Wednesday, May 11, 2005 10:31 AM
> To: GroupStudy
> Subject: Re: Ways of Callback PPP/ISDN/Dialer
>
> Ok, just when I thought I stopped my little head from spinning, a person
> wrote
> to me offline and brought up a good PPP question that now has me baffled
> also.
> I tried Googling and searching the archives but nada... I found one
> vendor
> alluded to this in their own forum, but no real explanation for the
> solution.
>
> ppp chap wait: To specify that the router will not authenticate to a peer
> requesting Challenge Handshake Authentication Protocol (CHAP)
> authentication
> until after the peer has authenticated itself to the router, use the ppp
> chap
> wait command in interface configuration mode.
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secu
> r
> _r/sec_p1g.htm#wp1070281
>
> The perplexing part is that the doc says this command is enabled by
> default.
> So the question is if ppp chap wait is enabled by default and both
> routers'
> ints have this enabled, what makes the 2 routers finally authenticate
> properly? The doc makes it read as if both routers will play a game of
> chicken, waiting for the other side to be authenticated first before it
> allows
> itself to be authenticated. Since each router is waiting for the other
> side
> to be authenticated first, neither side will ever be authenticated.
> Arggh!!!
>
> Any suggestions/hints of advice would be appreciated....
> Sean
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:57 GMT-3