Re: PPP Double Authentication

From: Godswill Oletu (oletu@inbox.lv)
Date: Thu Aug 11 2005 - 14:53:57 GMT-3

• Next message: Tag Spivey: "Study group in or around Macon,GA or middle Ga"
• Previous message: Godswill Oletu: "Re: Opinion on to wait for the new lab"
• Maybe in reply to: Rohan Grover \(rohang\): "PPP Double Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Rohan,

You will be able to understand the concept better, if you read how lock n
key alias 'dynamic access list' works. From what I read on the doc cd, both
concept looks the same, with some
enhancement when using 'double authentication' eg using aaa for
authentication & authorization instead of using
username/password & access lists; also there is an initial challange with
double authentication before the telnet phase challange.

With Lock n Key:
1. By default all access to the Network throught the Router are denied
except for Telnet.
2. An access list is employed to define the ip address/network that is
allowed to initiate the telnet.
3. Username/Password commands will be use to authenticate the telnet session
4. Autocommand/enable-access will lauch the dynamic access list to provide
the access defined in the access-list and authorize network access.

Double Authentication.
1. All access to the Router will be chanllanged by the aaa server.
2. Only successfully aaa authenticated users will be granted telnet access.
3. The user will then telnet into the router just like in lock n key above
and be authenticated by the aaa server again.
4. Autocommand/access-profile command will be used to reauthorized the user
and necessary defined network access will be granted.

I have not labbed this scenario, but have worked on lock n key many times,
it will be interesting to lab this double authentication and see how it
plays out.

HTH
Godswill Oletu

----- Original Message -----
From: "Rohan Grover (rohang)" <rohang@cisco.com>
To: "Godswill Oletu" <oletu@inbox.lv>; <ccielab@groupstudy.com>
Sent: Thursday, August 11, 2005 10:45 AM
Subject: RE: PPP Double Authentication

Hi Godswill,

Thanks for replying. I think what you have described very clearly is PPP
2-way authentication versus PPP one-way authentication.

My question was related to this feature on the DocCD
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fsecur_c/fsaaa/scfathen.htm#1019008

Sorry if I was not clear in the initial post

Thanks
Rohan

-----Original Message-----
From: Godswill Oletu [mailto:oletu@inbox.lv]
Sent: Thursday, August 11, 2005 7:28 PM
To: Rohan Grover (rohang); ccielab@groupstudy.com
Subject: Re: PPP Double Authentication

Rohan,

Look at this simplify scenerios between Routers A & B below, connected
via ISDN PPP, we will assume that all other configurations are accurate:

A#username routera password cisco
A#ppp authenication chap

B#username routerb password cisco
B#ppp authentication chap

When A calls B or B calls A, two sets of authentications have to take
place for the ISDN link to come up. Router A must authentication Router
B and Router B will also authenticate Router A. So, for ppp it does not
matter, if you are initiating the call or receiving the call, you must
authenticate the other party. This is the double authentication and this
is the default behaviour.

However, you can ask Router A to ONLY athenticate the Router B, when he
receives a call from Router B and not to authenticate when he is the one
initiating the call. This a good scenerios where your understanding of
this feature might be tested in the lab.

If you configure RouterB as:

B#ppp authentication chap callin

When Router B initiates a call to Router A; Router B will let its guards
down and will not authenticate Router A; but Router A will still
authenticate Router B. If it was Router A that called, Router B will
authenticate Router A and Router A will authenticate Router B.

You see that, no matter what, all in coming calls must be authenticated;
but out going calls will not be authenticated on the Router where you
configure the 'callin' feature. However, by default all incoming and
outgoing calls will be authenticated separately by each Router and the
results of each of those authentication must be true, for the link to
come up.

HTH

....
Godswill Oletu

----- Original Message -----
From: "Rohan Grover (rohang)" <rohang@cisco.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, August 11, 2005 8:48 AM
Subject: PPP Double Authentication

> Hi,
>
> Just wanted an opinion from this group as to how likely the above
topic
> is to appear in the R&S lab.
>
> I'm finding it difficult to understand this clearly and the doccd is
not
> very helpful.
>
> Thanks
> Rohan
>
>

• Next message: Tag Spivey: "Study group in or around Macon,GA or middle Ga"
• Previous message: Godswill Oletu: "Re: Opinion on to wait for the new lab"
• Maybe in reply to: Rohan Grover \(rohang\): "PPP Double Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:19 GMT-3