From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Thu Sep 01 2005 - 12:28:15 GMT-3
Lee,
R2 will need "username R5 password xxx" regardless unless you
are forwarding the authentication to AAA. R5 can have either "ppp chap
password xxx" on the interface or the global command "username R2
password xxx". They both need the password configured so they can
generate the hash and compare the hash even if the authentication is
only one way.
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Lee Carter
> Sent: Monday, June 27, 2005 12:11 PM
> To: Chris Lewis (chrlewis); CCIE LAB
> Subject: RE: PPP Chap Authentication (callin, callout, callback)
>
> Chris,
>
> Thanks, this is exactly what I was looking for. Now, I
> have one more question requarding authentication and
> ppp.
>
>
> I have a senario where R2 is to dial R5. R2 is NOT to
> challenge R5... Also, other requirements state that R5
> is not allowed to call R2. So, remote side only has
> dialer map name R2 broadcast.... no numbers so it
> can't call R2. R5 also has user R2 password isdn
> configured for CHAP authentication because R5 WILL
> challenge R2.
>
> R2, I configure the BRI interface with only enca ppp
> (no ppp authentication chap) this will fulfill the
> requirement... Or I could do "callin" but R5 will
> never really call R2 so why do that...
>
> When I remove user R5 from R2's local database the PPP
> authentication failes. This is (I believe) because R2
> has nothing to generate a HASH with... So should I use
> ppp chap hostname R2 and password isdn or do I still
> need the R5 username? .. I guess.. What's best
> practice or solution for this situation?
>
> Both seemed to work in my lab and I personally think
> the second method (hostname R2 / password isdn) are
> the best but am looking for opinions here.
>
> Thanks,
>
> Lee
>
>
>
> --- "Chris Lewis (chrlewis)" <chrlewis@cisco.com>
> wrote:
>
> > Dear All:
> >
> > First, I'd advise separating callin/callout from
> > callback, they are
> > different things. Callback can be implemented using
> > ISDN or PPP and
> > drops an incoming call then calls back to the
> > originating router.
> >
> > To understand callin and callout, you need to
> > understand how CHAP
> > authentication works, and know haw an interface
> > behaves when configured
> > with ppp authentication chap and without this
> > command.
> >
> > The basics are as follows:
> >
> > With no ppp authentication chap, an interface will
> > still respond to a
> > chap challenge, but it will not send a challenge.
> > With ppp authentication chap configured, the
> > interface will both respond
> > to challenges and initiate a challenge
> > With callout, a challenge will only be sent when the
> > router is
> > initiating a call
> > With callin, the challenge will only be sent when
> > the router is
> > receiving a call
> > The only way to stop an interface from responding to
> > a chap challenge is
> > to configure ppp chap refuse
> >
> > Chris
>
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > Han Ghee Chia
> > Sent: Monday, June 27, 2005 3:14 AM
> > To: Lee Carter; CCIE LAB
> > Subject: Re: PPP Chap Authentication (callin,
> > callout, callback)
> >
> > As per my interpretation: -
> >
> > "R1 does not need to authenticate R2 when calling" -
> >
> > - requirement is asking for 1-way authentication
> > - R1 is the calling party (initiating)
> > - R2 is the called party (receiving)
> > - R2 will authenticate R1, however R1 will not. (ppp
> > authentication chap
> > callin)
> >
> > Look out for key words like "secure" or "3-way
> > handshake" for CHAP. PAP
> > is considered unsecure and uses 2-way handshaking.
> >
> > Question: If nothing is mentioned about
> > authentication &/ security,
> > should we: - 1. Don't configure any PPP
> > authentication at all, OR 2. Use
> > either CHAP or PAP ???
> >
> > "Callout" - use on a local router context, means the
> > router will
> > initiate the call.
> >
> > "Callback" is quite simple to spot if one
> > understands what callback is
> > about.
> >
> > Normally, part 2 of the ISDN section deals with DDR.
> > From there, you
> > will have a better idea of who should call who and
> > when. So it is
> > i> important to read and understand both parts of this
> > section before you
> > begin your configuration.
> >
> >
> > Regards
> > Han Ghee
> >
> > Lee Carter <l2carter@yahoo.com> wrote:
> > Does anyone have a good way to know which type of
> > authentication is
> > required depending on what is asked?
> >
> >
> > What I mean is, I am having a heack of a time trying
> > to distinguish
> > between (callin, callout, callback) authentications.
> >
> >
> > Things like R1 does not need to Authenticate R2 when
> > calling. (callin,
> > callout?)
> >
> > Thanks,
> >
> >
> >
> > ____________________________________________________
> > Yahoo! Sports
> > Rekindle the Rivalries. Sign up for Fantasy Football
> > http://football.fantasysports.yahoo.com
> >
> >
>
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:13 GMT-3