Re: Chap Authentication

From: Rick Mur (rick@rickmur.nl)
Date: Tue Aug 26 2008 - 02:48:53 ART

I know, the thing with the password is like PAP, but CHAP works the
same way, it only doesn't exchange the password right away.
The guy at the nightclub gives you a little piece of paper with
instructions (that's the challenge), you'll write down the password in
the way that the instructions tell you (hash value of the password)
and you give back the paper. The guy at the door reads the text, does
the same calculation and if the result is the same as what you gave
him you'll get in :-)

That's about the simplest way I can explain this :-) I don't know
exactly how the challenge and challenge-response method work, you
should read the RFC (http://tools.ietf.org/html/rfc1994) for that ;-)

On 25 aug 2008, at 22:27, Mark Stephanus Chandra wrote:

> ooh I see,
>
> But in my understanding till now, CHAP Authentication should do both
> ways.
> R1 have to authenticate to R3 and R3 also have to authenticate to
> R1. That
> how Chap works in my understanding.
>
> In Your explanation, that means chap works like PAP, just one way
> authentication, the difference just in password hashing cause in
> chap the
> password using md5 and pap using clear text.
>
> Is this right CHAP behaviour ?
>
> Please correct me if I'm wrong
>
> Regards
>
> Mark Stephanus Chandra
>
>
>
> -----Original Message-----
> From: Rick Mur [mailto:rick@rickmur.nl]
> Sent: Tuesday, August 26, 2008 12:18 PM
> To: Mark Stephanus Chandra
> Cc: swm@emanon.com; ccielab@groupstudy.com
> Subject: Re: Chap Authentication
>
> In this case it's just R1 that requires R3 to authenticate, R1 will
> send traffic to R3 without authenticating first, but before R1 will
> send traffic back R1 first wants to authenticate with R3. If you do
> it both ways they both will authenticate each other.
>
> Compare it with some exclusive nightclub where you will have to know
> the password to get in. The guy at the door asks you a password and
> you answer, but you won't ask that guy for your password before you
> will go in :-)
>
>
> On 25 aug 2008, at 22:10, Mark Stephanus Chandra wrote:
>
>> But Anyway guys, have one last question.
>>
>> In my understanding, chap authentication works both way right ?
>>
>> So in this example,
>>
>> Rack1R1
>>
>> username Rack1R3 password 0 CISCO
>> !
>> interface Serial0/1
>> ip address 163.1.13.1 255.255.255.0
>> encapsulation ppp
>> ppp authentication chap
>>
>> Rack1R3
>>
>> interface Serial1/2
>> ip address 163.1.13.3 255.255.255.0
>> encapsulation ppp
>> clock rate 64000
>> ppp chap password 0 CISCO
>>
>> Rack1R1 will challenge CHAP and Rack1R3 will reply with default
>> hostname
>> Rack1R3 with password CISCO which is listed on Rack1R1. And Rack1R1
>> actually
>> have to challenge back right ? and there is no username Rack1R1 on
>> Rack1R3 ?
>>
>> Could you please give me an explanation about how chap works
>> normally and in
>> this example ?
>>
>> Thanks a lot
>>
>>
>> Regards
>>
>> Mark Stephanus Chandra
>>
>>
>>
>> -----Original Message-----
>> From: Rick Mur [mailto:rick@rickmur.nl]
>> Sent: Tuesday, August 26, 2008 11:46 AM
>> To: Mark Stephanus Chandra
>> Cc: swm@emanon.com; ccielab@groupstudy.com
>> Subject: Re: Chap Authentication
>>
>> It's a known fact that Dynamips might react a little different with
>> serials links (you don't have to set the clock rate for example, it
>> will always work)
>>
>> I just tried it on a real rack and I tried it on dynamips with the
>> following config and it worked right away.
>> If it didn't work on your dynamips, you could try to stop the
>> process,
>> delete the temp files and start again.
>>
>> Rack1R1
>>
>> username Rack1R3 password 0 CISCO
>> !
>> interface Serial0/1
>> ip address 163.1.13.1 255.255.255.0
>> encapsulation ppp
>> ppp authentication chap
>>
>> Rack1R3
>>
>> interface Serial1/2
>> ip address 163.1.13.3 255.255.255.0
>> encapsulation ppp
>> clock rate 64000
>> ppp chap password 0 CISCO
>>
>>
>> Rick
>>
>> On 25 aug 2008, at 21:15, Mark Stephanus Chandra wrote:
>>
>>> Hi Scott,
>>>
>>> Thanks for replying, the debug said PPP authorization required
>>>
>>> When I do ppp authentication chap on both router, the line protocol
>>> just
>>> came up immediately.
>>>
>>> I do this in dynamips, IOS BUG maybe ?
>>>
>>> Regards
>>>
>>> Mark Stephanus Chandra
>>>
>>>
>>> -----Original Message-----
>>> From: Scott Morris [mailto:swm@emanon.com]
>>> Sent: Tuesday, August 26, 2008 10:58 AM
>>> To: 'Mark Stephanus Chandra'; ccielab@groupstudy.com
>>> Subject: RE: Chap Authentication
>>>
>>> What does your output from "debug ppp authentication" look like?
>>>
>>> Make sure you don't have a space after CISCO.
>>>
>>> It should work just fine. The lab I'm working on today did the same
>>> thing,
>>> works great.
>>>
>>> R2 will use its hostname by default (why you need to name) and then
>>> the
>>> password you specified.
>>>
>>> HTH,
>>>
>>>
>>> Scott Morris, CCIE4 #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al.
>>> CCSI/JNCI-M/JNCI-ER
>>> Senior CCIE Instructor
>>>
>>> smorris@internetworkexpert.com
>>>
>>>
>>>
>>> Internetwork Expert, Inc.
>>> http://www.InternetworkExpert.com
>>> Toll Free: 877-224-8987
>>> Outside US: 775-826-4344
>>> Online Community: Communities are what life is all about.
>>> CCIE Blog: To avoid the filter, we don't list it, but people love
>>> it.
>>>
>>> Knowledge is power.
>>> Power corrupts.
>>> Study hard and be Eeeeviiiil......
>>>
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>>> Of Mark
>>> Stephanus Chandra
>>> Sent: Monday, August 25, 2008 11:38 PM
>>> To: ccielab@groupstudy.com
>>> Subject: Chap Authentication
>>>
>>> Dear Friends,
>>>
>>>
>>>
>>> Need Confirmation About CHAP Authentication in PPP Encapsulation.
>>>
>>>
>>>
>>> I have a lab topology R1 -----serial----------R2
>>>
>>>
>>>
>>> R1 have PPP encapsulation through R2
>>>
>>>
>>>
>>> Have A Task to do :
>>>
>>> 1. Configure R1 to challenge Chap Authentication to R2
>>>
>>> 2. R2 should respond with password CISCO
>>>
>>> 3. no username command at R2
>>>
>>>
>>>
>>> The solution provided :
>>>
>>> R1.
>>>
>>>
>>>
>>> username R2 password CISCO
>>>
>>>
>>>
>>> interface serial
>>>
>>> encapsulation PPP
>>>
>>> clockrate 64000
>>>
>>> ppp authentication CHAP
>>>
>>>
>>>
>>> R2.
>>>
>>>
>>>
>>> interface serial
>>>
>>> encapsulation PPP
>>>
>>> ppp chap password CISCO
>>>
>>>
>>>
>>> I tried the solution but it cannot make my line protocol serial goes
>>> up.
>>>
>>>
>>>
>>> My understanding about PPP Authentication CHAP so far is that we
>>> need to
>>> authenticate the router both direction. So I Think there is no way
>>> that we
>>> can get this authentication works without 'username command' on R2.
>>>
>>>
>>>
>>> Cause R1 need to authenticate also to R2 right ?
>>>
>>>
>>>
>>> But I also try this solution of mine but it doesn't work either :)
>>> Make me
>>> frustated.
>>>
>>>
>>>
>>> Can anyone help ?
>>>
>>>
>>>
>>>
>>>
>>> Thanks in advance guys
>>>
>>>
>>>
>>>
>>>
>>> Regards
>>>
>>>
>>>
>>> Mark Stephanus Chandra
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:32 ART