From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Sun Jul 13 2008 - 05:50:56 ART
Hmm, for the PAP authentication, let's look at a simple case here:
R3--PPP--R4
On a PPP link and we want R4 to authenticate R3 using PAP.
Using the command "ppp authentication pap" on R4 we configure the
repsective router to REQUIRE pap authentication from it's peer. Using the
command "ppp pap sent-username" on R3 we configure the respective router to
SEND outbound credentials (username/password) to R4 when requested.
So it makes sense to configure the routers like this:
--R3: interface Serial x/y ppp pap sent-username R3 password CISCO
R4: usename R3 password CISCO ! interface Serial x/y ppp authentication pap
--
Unless you have something tricky on mind it does not make sense for R3 to send R4's hostname and vice versa ;)
-- Petr Lapukhov, CCIE #16379 (R&S/Security/SP/Voice) petr@internetworkexpert.com
Internetwork Expert, Inc. http://www.InternetworkExpert.com
2008/7/13 Marc La Porte <marc.a.laporte@gmail.com>:
> Hi Petr, > > Thanks for the clarification, but it doesn't look like a typo though > (unless > my brain is out of order ;-) > FYI, it's VOL3, Lab 6, Task 3.7.... and the config works... > > R3: > username Rack3R4 password CISCO > username Rack3R5 password CISCO > ! > int multilink34 > ppp authentication pap > ppp pap sent-username Rack3R4 password CISCO > ! > int multilink35 > ppp authentication chap > > > R4: > username Rack3R3 password CISCO > ! > int multilink34 > ppp authentication pap > ppp pap sent-username Rack3R3 password CISCO > > > R5: > username Rack3R3 password CISCO > ! > int multilink35 > ppp authentication chap > > > Marc > > > On Sun, Jul 13, 2008 at 10:21 AM, Petr Lapukhov < > petr@internetworkexpert.com> > wrote: > > > The problem is that the same username and password you are sending in > CLEAR > > text using PAP are also configured globally in the same router (looks > like > > it's just a typo in your config, since you probably want to send > Rack3R3). > > That means that the global names could be used by R3 for CHAP > authentication > > (if R3 is condfigured for CHAP), and malicious user can sniff PAP > exchange > > and later *potentially* spoof CHAP credentials authenticating with R3. > > AFAIK this warning only happens when you send a PAP name/password which > > coincides with globally configured username and password. > > > > -- > > Petr Lapukhov, CCIE #16379 (R&S/Security/SP/Voice) > > petr@internetworkexpert.com > > > > Internetwork Expert, Inc. > > http://www.InternetworkExpert.com > > > > 2008/7/13 Marc La Porte <marc.a.laporte@gmail.com>: > > > >> Rack3R3(config-if)# ppp pap sent-username Rack3R4 password CISCO > >> PPP: Warning: You have chosen a username/password combination that > >> is valid for CHAP. This is a potential security hole. > >> > >> > >> complete config R3: > >> username Rack3R4 password CISCO > >> username Rack3R5 password CISCO > >> ! > >> int multilink34 > >> ppp authentication pap > >> ppp pap sent-username Rack3R4 password CISCO > >> ! > >> int multilink35 > >> ppp authentication chap > >> > >> > >> _______________________________________________________________________ > >> Subscription information may be found at: > >> http://www.groupstudy.com/list/CCIELab.html > > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:54 ART