RE: CHAP Authentication

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Tue Jul 26 2005 - 16:51:53 GMT-3

Yeah it's working:

*Jul 27 00:46:18.821: Se1/1:1 CHAP: O CHALLENGE id 66 len 23 from "RA"
*Jul 27 00:46:18.825: Se1/1:1 CHAP: I RESPONSE id 66 len 23 from "RB"
*Jul 27 00:46:18.825: Se1/1:1 CHAP: O SUCCESS id 66 len 4

The password is probably just a hash of the magic number:

Se1/1:1 LCP: O CONFREQ [Closed] id 95 len 15
Se1/1:1 LCP: AuthProto CHAP (0x0305C22305)
Se1/1:1 LCP: MagicNumber 0x0956BE91 (0x05060956BE91)
Se1/1:1 LCP: I CONFACK [REQsent] id 95 len 15
Se1/1:1 LCP: AuthProto CHAP (0x0305C22305)
Se1/1:1 LCP: MagicNumber 0x0956BE91 (0x05060956BE91)
Se1/1:1 LCP: I CONFREQ [ACKrcvd] id 114 len 10
Se1/1:1 LCP: MagicNumber 0x52EB0860 (0x050652EB0860)
Se1/1:1 LCP: O CONFACK [ACKrcvd] id 114 len 10
Se1/1:1 LCP: MagicNumber 0x52EB0860

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: Rohan Grover (rohang) [mailto:rohang@cisco.com]
> Sent: Tuesday, July 26, 2005 2:31 PM
> To: Brian McGahan; Group Study
> Subject: RE: CHAP Authentication
>
> Hi Brian,
>
> The configs are as follows
>
> =====================================
>
> R1
> ----
> RA#sh run int s1/1:1
> Building configuration...
>
> Current configuration : 108 bytes
> !
> interface Serial1/1:1
> ip address 22.0.0.1 255.255.255.0
> encapsulation ppp
> ppp authentication chap
> end
>
> RA#sh run | i username
> username RB
> RA#
>
>
> R2
> --
> RB#sh run int s1/1:1
> Building configuration...
>
> Current configuration : 83 bytes
> !
> interface Serial1/1:1
> ip address 22.0.0.2 255.255.255.0
> encapsulation ppp
> end
>
> RB#sh run | i username
> username RA
> RB#
>
> Debugs
> --------
>
> *Jul 27 07:46:17: %SYS-5-CONFIG_I: Configured from console by console
> *Jul 27 07:46:18: %LINK-3-UPDOWN: Interface Serial1/1:1, changed state
> to up
> *Jul 27 00:46:18.821: Se1/1:1 PPP: Using default call direction
> *Jul 27 00:46:18.821: Se1/1:1 PPP: Treating connection as a dedicated
> line
> *Jul 27 00:46:18.821: Se1/1:1 PPP: Phase is ESTABLISHING, Active Open
> *Jul 27 00:46:18.821: Se1/1:1 PPP: Authorization required
> *Jul 27 00:46:18.821: Se1/1:1 LCP: O CONFREQ [Closed] id 95 len 15
> *Jul 27 00:46:18.821: Se1/1:1 LCP: AuthProto CHAP (0x0305C22305)
> *Jul 27 00:46:18.821: Se1/1:1 LCP: MagicNumber 0x0956BE91
> (0x05060956BE91)
> *Jul 27 00:46:18.821: Se1/1:1 LCP: I CONFACK [REQsent] id 95 len 15
> *Jul 27 00:46:18.821: Se1/1:1 LCP: AuthProto CHAP (0x0305C22305)
> *Jul 27 00:46:18.821: Se1/1:1 LCP: MagicNumber 0x0956BE91
> (0x05060956BE91)
> *Jul 27 00:46:18.821: Se1/1:1 LCP: I CONFREQ [ACKrcvd] id 114 len 10
> *Jul 27 00:46:18.821: Se1/1:1 LCP: MagicNumber 0x52EB0860
> (0x050652EB0860)
> *Jul 27 00:46:18.821: Se1/1:1 LCP: O CONFACK [ACKrcvd] id 114 len 10
> *Jul 27 00:46:18.821: Se1/1:1 LCP: MagicNumber 0x52EB0860
> (0x050652EB0860)
> *Jul 27 00:46:18.821: Se1/1:1 LCP: State is Open
> *Jul 27 00:46:18.821: Se1/1:1 PPP: Phase is AUTHENTICATING, by this
end
> *Jul 27 00:46:18.821: Se1/1:1 CHAP: O CHALLENGE id 66 len 23 from "RA"
> *Jul 27 00:46:18.825: Se1/1:1 CHAP: I RESPONSE id 66 len 23 from "RB"
> *Jul 27 00:46:18.825: Se1/1:1 PPP: Phase is FORWARDING, Attempting
> Forward
> *Jul 27 00:46:18.825: Se1/1:1 PPP: Phase is AUTHENTICATING,
> Unauthenticated User
> *Jul 27 00:46:18.825: Se1/1:1 PPP: Sent CHAP LOGIN Request
> *Jul 27 00:46:18.825: Se1/1:1 PPP: Received LOGIN Response PASS
> *Jul 27 00:46:18.825: Se1/1:1 PPP: Phase is FORWARDING, Attempting
> Forward
> *Jul 27 00:46:18.825: Se1/1:1 PPP: Phase is AUTHENTICATING,
> Authenticated User
> *Jul 27 00:46:18.825: Se1/1:1 PPP: Sent LCP AUTHOR Request
> *Jul 27 00:46:18.825: Se1/1:1 PPP: Sent IPCP AUTHOR Request
> *Jul 27 00:46:18.825: Se1/1:1 LCP: Received AAA AUTHOR Response PASS
> *Jul 27 00:46:18.825: Se1/1:1 IPCP: Received AAA AUTHOR Response PASS
> *Jul 27 00:46:18.825: Se1/1:1 CHAP: O SUCCESS id 66 len 4
> *Jul 27 00:46:18.825: Se1/1:1 PPP: Phase is UP
> *Jul 27 00:46:18.825: Se1/1:1 IPCP: O CONFREQ [Closed] id 1 len 10
> *Jul 27 00:46:18.825: Se1/1:1 IPCP: Address 22.0.0.1
(0x030616000001)
> *Jul 27 00:46:18.825: Se1/1:1 PPP: Sent CDPCP AUTHOR Request
> *Jul 27 00:46:18.825: Se1/1:1 PPP: Process pending ncp packets
> *Jul 27 00:46:18.825: Se1/1:1 CDPCP: Received AAA AUTHOR Response PASS
> *Jul 27 00:46:18.825: Se1/1:1 CDPCP: O CONFREQ [Closed] id 1 len 4
> *Jul 27 00:46:18.825: Se1/1:1 IPCP: I CONFREQ [REQsent] id 1 len 10
> *Jul 27 00:46:18.825: Se1/1:1 IPCP: Address 22.0.0.2
(0x030616000002)
> *Jul 27 00:46:18.825: Se1/1:1 AAA/AUTHOR/IPCP: Start. Her address
> 22.0.0.2, we want 0.0.0.0
> *Jul 27 00:46:18.825: Se1/1:1 PPP: Sent IPCP AUTHOR Request
> *Jul 27 00:46:18.825: Se1/1:1 CDPCP: I CONFREQ [REQsent] id 1 len 4
> *Jul 27 00:46:18.825: Se1/1:1 CDPCP: O CONFACK [REQsent] id 1 len 4
> *Jul 27 00:46:18.825: Se1/1:1 CDPCP: I CONFACK [ACKsent] id 1 len 4
> *Jul 27 00:46:18.829: Se1/1:1 CDPCP: State is Open
> *Jul 27 00:46:18.829: Se1/1:1 AAA/AUTHOR/IPCP: Reject 22.0.0.2, using
> 0.0.0.0
> *Jul 27 00:46:18.829: Se1/1:1 AAA/AUTHOR/IPCP: Done. Her address
> 22.0.0.2, we want 0.0.0.0
> *Jul 27 00:46:18.829: Se1/1:1 IPCP: O CONFACK [REQsent] id 1 len 10
> *Jul 27 00:46:18.829: Se1/1:1 IPCP: Address 22.0.0.2
(0x030616000002)
> *Jul 27 00:46:18.829: Se1/1:1 IPCP: I CONFACK [ACKsent] id 1 len 10
> *Jul 27 00:46:18.829: Se1/1:1 IPCP: Address 22.0.0.1
(0x030616000001)
> *Jul 27 00:46:18.829: Se1/1:1 IPCP: State is Open
> *Jul 27 00:46:18.829: Se1/1:1 IPCP: Add link info for cef entry
22.0.0.2
> *Jul 27 00:46:18.829: Se1/1:1 IPCP: Install route to 22.0.0.2
>
> =====================
>
> thanks
> Rohan
>
> -----Original Message-----
> From: Brian McGahan [mailto:bmcgahan@internetworkexpert.com]
> Sent: Wednesday, July 27, 2005 12:34 AM
> To: Rohan Grover (rohang); Group Study
> Subject: RE: CHAP Authentication
>
> Rohan,
>
> Probably it is hashing just the magic number. Normally the
> magic number is a seed for the hash of the password. In your case the
> password would be NULL. What does the "debug ppp authentication" and
> "debug ppp negotiation" output show?
>
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Rohan Grover (rohang)
> > Sent: Tuesday, July 26, 2005 1:22 PM
> > To: Group Study
> > Subject: CHAP Authentication
> >
> > Hi,
> >
> > I have 2 routers (R1 & R2) back-back configured for PPP.
> >
> > 'ppp authentication chap' is only configured on R1.
> >
> > R1 has 'username R2' (no password) and R2 has 'username R1' (no
> > password)
> >
> > I see that authentication suceeds! How is this working without a
> > password.
> >
> > Enabling 'debug ppp authentication' lets me know that R2 is using
> > password from AAA, but I have'nt configured AAA.
> >
> > Any idea on what is happening?
> >
> > Thanks
> > Rohan
> >
> >
>

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:31 GMT-3