Re: ppp chap wait

From: Sean C. (Upp_and_Upp@hotmail.com)
Date: Sun Sep 03 2006 - 23:44:41 ART

• Next message: clileikis@gmail.com: "CCIE Scheduled in RTP on Sept 27th"
• Previous message: sabrina pittarel: "Q: NTP peering configuration"
• Maybe in reply to: Tim Chan: "ppp chap wait"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ahh, very good. Ok, I think I was on the flip side, like Tim.

Thanks again,
Sean
----- Original Message -----
From: "sabrina pittarel" <sabri_esame@yahoo.com>
To: "Sean C." <Upp_and_Upp@hotmail.com>
Cc: <ccielab@groupstudy.com>
Sent: Sunday, September 03, 2006 2:28 PM
Subject: Re: ppp chap wait

If R1 calling:
 R1 calls R2 - R1 does not send auth creds to R2
 R2 rcvs call, R2 sends challenge to R1
 R1 replies to challenge, R2 validates R1's challenge reply.
 R1 does not authenticate R2.
 Both sides happy.

 Note: No mutual authentication with my solution. It is meant as an
alternative solution to "configure "ppp authentication" only on the
authenticator side" when you want unilateral authentication.

 debug ppp negotiation
 R1:
 Sep 3 21:07:36.938: Se1/1 PPP: No remote authentication for call-out
 <snip>
 Sep 3 21:07:36.938: Se1/1 LCP: State is Open
 Sep 3 21:07:36.938: Se1/1 PPP: Phase is AUTHENTICATING, by the peer

 R2:
 *Sep 3 21:07:37.422: Se1/3 LCP: State is Open
 *Sep 3 21:07:37.422: Se1/3 PPP: Phase is AUTHENTICATING, by this end

 Sabrina

----- Original Message ----
From: Sean C. <Upp_and_Upp@hotmail.com>
To: sabrina pittarel <sabri_esame@yahoo.com>
Cc: ccielab@groupstudy.com
Sent: Sunday, September 3, 2006 4:46:40 PM
Subject: Re: ppp chap wait

Sorry, I've understood the use of the commands. I'm trying to envision your
scenario that would require this task.

R1 - authenticating:
ppp direction callout
ppp authentication chap callin

R2 - the authenticator side
ppp direction callin
ppp authentication chap callin

If R1 calling:
R1 calls R2 - R1 does not send auth creds to R2 (yet)
R2 rcvs call, R2 sends it's auth creds to R1
R1 rcvs auth R2's creds, R1 validates R2's auth creds, and R1 sends it's
auth creds to R2
R2 rcvs R1's auth creds, R2 validates R1's auth creds
Both sides happy.

----- Original Message -----
From: "sabrina pittarel" <sabri_esame@yahoo.com>
To: "Sean C." <Upp_and_Upp@hotmail.com>
Cc: <ccielab@groupstudy.com>
Sent: Sunday, September 03, 2006 1:26 PM
Subject: Re: ppp chap wait

No,
 I was following along Petr thought:
 "You need to set up one end as "ppp direction callin" and another
 as "ppp direction callout" to simulate "dialup" situation"

 Then in my case I configure the authenticator as a receiver of calls and
the authenticating side as the caller.

 Then I want the authenticating side never to send any challenge, so I
configure it as "ppp authentication chap callin". That command instruct the
router to authenticate on incoming calls only, but there won't be any
because the remote side has been configured as a receiver of calls
exclusively.

 Most likely "ppp authentication chap callin" is not required on the
authenticator since it won't make any "call out"; but it doesn't hurt.

 Sabrina

----- Original Message ----
From: Sean C. <Upp_and_Upp@hotmail.com>
To: sabrina pittarel <sabri_esame@yahoo.com>
Cc: ccielab@groupstudy.com
Sent: Sunday, September 3, 2006 3:48:18 PM
Subject: Re: ppp chap wait

    DIV { MARGIN:0px;} Hi Sabrina,

 Interesting thoughts. I'm wondering about one thing - are you thinking
that on the authenticating side, the command 'ppp direction callout' will
force the interface to send it's CHAP credentials across the link? I'm
just trying to understand how the CHAP credentials will leave the
authenticating router since callin is applied to it's chap authentication.

 Thx,
 Sean
    ----- Original Message -----
   From: sabrina pittarel
   To: Petr Lapukhov ; Sean C.
   Cc: Tim Chan ; ccielab@groupstudy.com
   Sent: Sunday, September 03, 2006 11:34 AM
   Subject: Re: ppp chap wait

      Now you got me thinking....I'm moving away a little from the ppp
chap wait command

Usually when we want one side to authenticate the other, but not
viceversa we configure "ppp authentication" of the authenticator side and
only the ppp credentials on the remote

Another way on implementing the same would be then to configure on
* the authenticator side

ppp direction callin
ppp authentication chap callin

* the authenticating side as:

ppp direction callout
ppp authentication chap callin

Assuming the task explicitly ask to meet the requirement while
configuring authentication on both sides.

Sabrina

   ----- Original Message ----
From: Petr Lapukhov <petr@internetworkexpert.com>
To: Sean C. <Upp_and_Upp@hotmail.com>
Cc: Tim Chan <timanji@yahoo.com>; ccielab@groupstudy.com
Sent: Sunday, September 3, 2006 7:19:23 AM
Subject: Re: ppp chap wait

   The trick is that is says "wait for caller".

If you have a leased line, ppp direction is "dedicated" by default,
and "chap wait" does make sense.

You need to set up one end as "ppp direction callin" and another
as "ppp direction callout" to simulate "dialup" situation.

HTH

2006/9/3, Sean C. <Upp_and_Upp@hotmail.com>:
>
> Hi Tim,
>
> There was a good thread on this last year on GS. Not sure if this
will
> help
> you out, but pay attention to Marvin's last email:
> http://www.groupstudy.com/archives/ccielab/200503/threads.html#00604
>
> HTH,
> Sean
> ----- Original Message -----
> From: "Tim Chan" <timanji@yahoo.com>
> To: <ccielab@groupstudy.com>
> Sent: Saturday, September 02, 2006 4:19 PM
> Subject: ppp chap wait
>
>
> Hi all,
>
> I know this might seem a bit obvious, but can someone explain the
command
> "ppp chap wait"?
>
> According to the doccd:
> "To specify that the router will not authenticate to a peer requesting
> CHAP
> authentication until after the peer has authenticated itself to the
> router."
>
> But it's also enabled by default. That being the case, if two routers
are
> trying to authenticate each
> other, then wouldn't they never come up because they are both waiting
for
> each other to authenticate first?
> (Which I know does not happen.)
>
> I'm asking because in IEWB lab 18, task 3.1 says to make sure that R4
> doesn't respond to chap
> authentication before R5 has been successfully authenticated.
>
> The definition of "ppp chap wait" would appear to be the solution, but
it
> isn't.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Petr Lapukhov, CCIE    #16379
petr@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free:    877-224-8987
Outside US:    775-826-4344

• Next message: clileikis@gmail.com: "CCIE Scheduled in RTP on Sept 27th"
• Previous message: sabrina pittarel: "Q: NTP peering configuration"
• Maybe in reply to: Tim Chan: "ppp chap wait"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:39 ART