From: Lee Carter (l2carter@yahoo.com)
Date: Mon Jun 27 2005 - 14:11:05 GMT-3
Chris,
Thanks, this is exactly what I was looking for. Now, I
have one more question requarding authentication and
ppp.
I have a senario where R2 is to dial R5. R2 is NOT to
challenge R5... Also, other requirements state that R5
is not allowed to call R2. So, remote side only has
dialer map name R2 broadcast.... no numbers so it
can't call R2. R5 also has user R2 password isdn
configured for CHAP authentication because R5 WILL
challenge R2.
R2, I configure the BRI interface with only enca ppp
(no ppp authentication chap) this will fulfill the
requirement... Or I could do "callin" but R5 will
never really call R2 so why do that...
When I remove user R5 from R2's local database the PPP
authentication failes. This is (I believe) because R2
has nothing to generate a HASH with... So should I use
ppp chap hostname R2 and password isdn or do I still
need the R5 username? .. I guess.. What's best
practice or solution for this situation?
Both seemed to work in my lab and I personally think
the second method (hostname R2 / password isdn) are
the best but am looking for opinions here.
Thanks,
Lee
--- "Chris Lewis (chrlewis)" <chrlewis@cisco.com>
wrote:
> Dear All:
>
> First, I'd advise separating callin/callout from
> callback, they are
> different things. Callback can be implemented using
> ISDN or PPP and
> drops an incoming call then calls back to the
> originating router.
>
> To understand callin and callout, you need to
> understand how CHAP
> authentication works, and know haw an interface
> behaves when configured
> with ppp authentication chap and without this
> command.
>
> The basics are as follows:
>
> With no ppp authentication chap, an interface will
> still respond to a
> chap challenge, but it will not send a challenge.
> With ppp authentication chap configured, the
> interface will both respond
> to challenges and initiate a challenge
> With callout, a challenge will only be sent when the
> router is
> initiating a call
> With callin, the challenge will only be sent when
> the router is
> receiving a call
> The only way to stop an interface from responding to
> a chap challenge is
> to configure ppp chap refuse
>
> Chris
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Han Ghee Chia
> Sent: Monday, June 27, 2005 3:14 AM
> To: Lee Carter; CCIE LAB
> Subject: Re: PPP Chap Authentication (callin,
> callout, callback)
>
> As per my interpretation: -
>
> "R1 does not need to authenticate R2 when calling" -
>
> - requirement is asking for 1-way authentication
> - R1 is the calling party (initiating)
> - R2 is the called party (receiving)
> - R2 will authenticate R1, however R1 will not. (ppp
> authentication chap
> callin)
>
> Look out for key words like "secure" or "3-way
> handshake" for CHAP. PAP
> is considered unsecure and uses 2-way handshaking.
>
> Question: If nothing is mentioned about
> authentication &/ security,
> should we: - 1. Don't configure any PPP
> authentication at all, OR 2. Use
> either CHAP or PAP ???
>
> "Callout" - use on a local router context, means the
> router will
> initiate the call.
>
> "Callback" is quite simple to spot if one
> understands what callback is
> about.
>
> Normally, part 2 of the ISDN section deals with DDR.
> From there, you
> will have a better idea of who should call who and
> when. So it is
> important to read and understand both parts of this
> section before you
> begin your configuration.
>
>
> Regards
> Han Ghee
>
> Lee Carter <l2carter@yahoo.com> wrote:
> Does anyone have a good way to know which type of
> authentication is
> required depending on what is asked?
>
>
> What I mean is, I am having a heack of a time trying
> to distinguish
> between (callin, callout, callback) authentications.
>
>
> Things like R1 does not need to Authenticate R2 when
> calling. (callin,
> callout?)
>
> Thanks,
>
>
>
> ____________________________________________________
> Yahoo! Sports
> Rekindle the Rivalries. Sign up for Fantasy Football
> http://football.fantasysports.yahoo.com
>
>
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:44 GMT-3