From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Sun Aug 26 2007 - 14:37:30 ART
PPP authentication (CHAP, PAP, etc) needs the actual password in order to
perform the authentication process (authenticated the remote device).
When the password is stored in clear text or even standard Cisco encrypted
format (service password-encryption) the router has or can easily get the
actual password to perform authentication. Now with the "secret" option
on the username command the password is used to generate an MD5 hash and
then the router discards the actual password. Now the PPP authentication
process does not have the actual password so it can not properly perform
the authentication.
Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
Brian Dennis, CCIE4 #2210 (R&S/ISP-Dial/Security/SP)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
>----- Original Message -----
Subject: ppp authentication chap and local secret
Date: Sun, August 26, 2007 3:34
From: "Bit Gossip" <bit.gossip@chello.nl>
> Expert,
> no way I can bring up a ppp link with authentication chap if the
username is
> in the form:
> username pippo secret cisco
> It works fine instead if I use the form:
> username pippo password cisco
>
> Is it really the case or am I doing something wrong?
>
> I have tested on:
> C2600 Software (C2600-ADVIPSERVICESK9-M), Version 12.4(12)
> 7200 Software (C7200-IK9S-M), Version 12.4(12)
>
> Thanks,
> bit.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:13 ART