RE: PPP Chap Authentication (callin, callout, callback)

From: Chris Lewis \(chrlewis\) (chrlewis@cisco.com)
Date: Mon Jun 27 2005 - 11:02:53 GMT-3

• Next message: SAkalaev@IBS.RU: "CAR with burst in Kbps"
• Previous message: Lee Carter: "Re: 2 methods to prune"
• Maybe in reply to: Lee Carter: "PPP Chap Authentication (callin, callout, callback)"
• Next in thread: Syv Ritch: "Re: PPP Chap Authentication (callin, callout, callback)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dear All:

First, I'd advise separating callin/callout from callback, they are
different things. Callback can be implemented using ISDN or PPP and
drops an incoming call then calls back to the originating router.

To understand callin and callout, you need to understand how CHAP
authentication works, and know haw an interface behaves when configured
with ppp authentication chap and without this command.

The basics are as follows:

With no ppp authentication chap, an interface will still respond to a
chap challenge, but it will not send a challenge.
With ppp authentication chap configured, the interface will both respond
to challenges and initiate a challenge
With callout, a challenge will only be sent when the router is
initiating a call
With callin, the challenge will only be sent when the router is
receiving a call
The only way to stop an interface from responding to a chap challenge is
to configure ppp chap refuse

Chris

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Han Ghee Chia
Sent: Monday, June 27, 2005 3:14 AM
To: Lee Carter; CCIE LAB
Subject: Re: PPP Chap Authentication (callin, callout, callback)

As per my interpretation: -
 
"R1 does not need to authenticate R2 when calling" -
 
- requirement is asking for 1-way authentication
- R1 is the calling party (initiating)
- R2 is the called party (receiving)
- R2 will authenticate R1, however R1 will not. (ppp authentication chap
callin)
 
Look out for key words like "secure" or "3-way handshake" for CHAP. PAP
is considered unsecure and uses 2-way handshaking.
 
Question: If nothing is mentioned about authentication &/ security,
should we: - 1. Don't configure any PPP authentication at all, OR 2. Use
either CHAP or PAP ???
 
"Callout" - use on a local router context, means the router will
initiate the call.
 
"Callback" is quite simple to spot if one understands what callback is
about.
 
Normally, part 2 of the ISDN section deals with DDR. From there, you
will have a better idea of who should call who and when. So it is
important to read and understand both parts of this section before you
begin your configuration.
 
 
Regards
Han Ghee

Lee Carter <l2carter@yahoo.com> wrote:
Does anyone have a good way to know which type of authentication is
required depending on what is asked?

What I mean is, I am having a heack of a time trying to distinguish
between (callin, callout, callback) authentications.

Things like R1 does not need to Authenticate R2 when calling. (callin,
callout?)

Thanks,

• Next message: SAkalaev@IBS.RU: "CAR with burst in Kbps"
• Previous message: Lee Carter: "Re: 2 methods to prune"
• Maybe in reply to: Lee Carter: "PPP Chap Authentication (callin, callout, callback)"
• Next in thread: Syv Ritch: "Re: PPP Chap Authentication (callin, callout, callback)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:44 GMT-3