From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Sun Jul 13 2008 - 05:21:28 ART
The problem is that the same username and password you are sending in CLEAR
text using PAP are also configured globally in the same router (looks like
it's just a typo in your config, since you probably want to send Rack3R3).
That means that the global names could be used by R3 for CHAP authentication
(if R3 is condfigured for CHAP), and malicious user can sniff PAP exchange
and later *potentially* spoof CHAP credentials authenticating with R3.
AFAIK this warning only happens when you send a PAP name/password which
coincides with globally configured username and password.
-- Petr Lapukhov, CCIE #16379 (R&S/Security/SP/Voice) petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com
2008/7/13 Marc La Porte <marc.a.laporte@gmail.com>:
> Rack3R3(config-if)# ppp pap sent-username Rack3R4 password CISCO > PPP: Warning: You have chosen a username/password combination that > is valid for CHAP. This is a potential security hole. > > > complete config R3: > username Rack3R4 password CISCO > username Rack3R5 password CISCO > ! > int multilink34 > ppp authentication pap > ppp pap sent-username Rack3R4 password CISCO > ! > int multilink35 > ppp authentication chap > > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:54 ART