From: Marc La Porte (marc.a.laporte@gmail.com)
Date: Sun Jul 13 2008 - 07:37:41 ART
Hi Petr,
Thanks for pointing out my mistake... those darn typos! ;-)
Marc
On Sun, Jul 13, 2008 at 10:50 AM, Petr Lapukhov <petr@internetworkexpert.com>
wrote:
> Hmm, for the PAP authentication, let's look at a simple case here:
>
>
> R3--PPP--R4
>
> On a PPP link and we want R4 to authenticate R3 using PAP.
>
> Using the command "ppp authentication pap" on R4 we configure the
> repsective router to REQUIRE pap authentication from it's peer. Using the
> command "ppp pap sent-username" on R3 we configure the respective router to
> SEND outbound credentials (username/password) to R4 when requested.
>
> So it makes sense to configure the routers like this:
>
> --
>
> R3:
> interface Serial x/y
> ppp pap sent-username R3 password CISCO
>
> R4:
> usename R3 password CISCO
> !
> interface Serial x/y
> ppp authentication pap
>
> --
>
> Unless you have something tricky on mind it does not make sense for R3 to
> send R4's hostname and vice versa ;)
>
> --
> Petr Lapukhov, CCIE #16379 (R&S/Security/SP/Voice)
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
>
> 2008/7/13 Marc La Porte <marc.a.laporte@gmail.com>:
>
>> Hi Petr,
>>
>> Thanks for the clarification, but it doesn't look like a typo though
>> (unless
>> my brain is out of order ;-)
>> FYI, it's VOL3, Lab 6, Task 3.7.... and the config works...
>>
>> R3:
>> username Rack3R4 password CISCO
>> username Rack3R5 password CISCO
>> !
>> int multilink34
>> ppp authentication pap
>> ppp pap sent-username Rack3R4 password CISCO
>> !
>> int multilink35
>> ppp authentication chap
>>
>>
>> R4:
>> username Rack3R3 password CISCO
>> !
>> int multilink34
>> ppp authentication pap
>> ppp pap sent-username Rack3R3 password CISCO
>>
>>
>> R5:
>> username Rack3R3 password CISCO
>> !
>> int multilink35
>> ppp authentication chap
>>
>>
>> Marc
>>
>>
>> On Sun, Jul 13, 2008 at 10:21 AM, Petr Lapukhov <
>> petr@internetworkexpert.com>
>> wrote:
>>
>> > The problem is that the same username and password you are sending in
>> CLEAR
>> > text using PAP are also configured globally in the same router (looks
>> like
>> > it's just a typo in your config, since you probably want to send
>> Rack3R3).
>> > That means that the global names could be used by R3 for CHAP
>> authentication
>> > (if R3 is condfigured for CHAP), and malicious user can sniff PAP
>> exchange
>> > and later *potentially* spoof CHAP credentials authenticating with R3.
>> > AFAIK this warning only happens when you send a PAP name/password which
>> > coincides with globally configured username and password.
>> >
>> > --
>> > Petr Lapukhov, CCIE #16379 (R&S/Security/SP/Voice)
>> > petr@internetworkexpert.com
>> >
>> > Internetwork Expert, Inc.
>> > http://www.InternetworkExpert.com
>> >
>> > 2008/7/13 Marc La Porte <marc.a.laporte@gmail.com>:
>> >
>> >> Rack3R3(config-if)# ppp pap sent-username Rack3R4 password CISCO
>> >> PPP: Warning: You have chosen a username/password combination that
>> >> is valid for CHAP. This is a potential security hole.
>> >>
>> >>
>> >> complete config R3:
>> >> username Rack3R4 password CISCO
>> >> username Rack3R5 password CISCO
>> >> !
>> >> int multilink34
>> >> ppp authentication pap
>> >> ppp pap sent-username Rack3R4 password CISCO
>> >> !
>> >> int multilink35
>> >> ppp authentication chap
>> >>
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:54 ART