Re: Chap Authentication

From: Bill Eyer (beyer@optonline.net)
Date: Wed Aug 27 2008 - 07:12:33 ART

• Next message: Bill Eyer: "Re: Equipments for R&S labs"
• Previous message: Ahmad Manzoor: "Re: Got the number !!!!"
• Maybe in reply to: Mark Stephanus Chandra: "Chap Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Mark,

That's correct, CHAP is one way only. Most people configure it on both
routers, making it a quantity of 2 one way authentications.

Bill

Mark Stephanus Chandra wrote:
> ooh I see,
>
> But in my understanding till now, CHAP Authentication should do both ways.
> R1 have to authenticate to R3 and R3 also have to authenticate to R1. That
> how Chap works in my understanding.
>
> In Your explanation, that means chap works like PAP, just one way
> authentication, the difference just in password hashing cause in chap the
> password using md5 and pap using clear text.
>
> Is this right CHAP behaviour ?
>
> Please correct me if I'm wrong
>
> Regards
>
> Mark Stephanus Chandra
>
>
>
> -----Original Message-----
> From: Rick Mur [mailto:rick@rickmur.nl]
> Sent: Tuesday, August 26, 2008 12:18 PM
> To: Mark Stephanus Chandra
> Cc: swm@emanon.com; ccielab@groupstudy.com
> Subject: Re: Chap Authentication
>
> In this case it's just R1 that requires R3 to authenticate, R1 will
> send traffic to R3 without authenticating first, but before R1 will
> send traffic back R1 first wants to authenticate with R3. If you do
> it both ways they both will authenticate each other.
>
> Compare it with some exclusive nightclub where you will have to know
> the password to get in. The guy at the door asks you a password and
> you answer, but you won't ask that guy for your password before you
> will go in :-)
>
>
> On 25 aug 2008, at 22:10, Mark Stephanus Chandra wrote:
>
>
>> But Anyway guys, have one last question.
>>
>> In my understanding, chap authentication works both way right ?
>>
>> So in this example,
>>
>> Rack1R1
>>
>> username Rack1R3 password 0 CISCO
>> !
>> interface Serial0/1
>> ip address 163.1.13.1 255.255.255.0
>> encapsulation ppp
>> ppp authentication chap
>>
>> Rack1R3
>>
>> interface Serial1/2
>> ip address 163.1.13.3 255.255.255.0
>> encapsulation ppp
>> clock rate 64000
>> ppp chap password 0 CISCO
>>
>> Rack1R1 will challenge CHAP and Rack1R3 will reply with default
>> hostname
>> Rack1R3 with password CISCO which is listed on Rack1R1. And Rack1R1
>> actually
>> have to challenge back right ? and there is no username Rack1R1 on
>> Rack1R3 ?
>>
>> Could you please give me an explanation about how chap works
>> normally and in
>> this example ?
>>
>> Thanks a lot
>>
>>
>> Regards
>>
>> Mark Stephanus Chandra
>>
>>
>>
>> -----Original Message-----
>> From: Rick Mur [mailto:rick@rickmur.nl]
>> Sent: Tuesday, August 26, 2008 11:46 AM
>> To: Mark Stephanus Chandra
>> Cc: swm@emanon.com; ccielab@groupstudy.com
>> Subject: Re: Chap Authentication
>>
>> It's a known fact that Dynamips might react a little different with
>> serials links (you don't have to set the clock rate for example, it
>> will always work)
>>
>> I just tried it on a real rack and I tried it on dynamips with the
>> following config and it worked right away.
>> If it didn't work on your dynamips, you could try to stop the process,
>> delete the temp files and start again.
>>
>> Rack1R1
>>
>> username Rack1R3 password 0 CISCO
>> !
>> interface Serial0/1
>> ip address 163.1.13.1 255.255.255.0
>> encapsulation ppp
>> ppp authentication chap
>>
>> Rack1R3
>>
>> interface Serial1/2
>> ip address 163.1.13.3 255.255.255.0
>> encapsulation ppp
>> clock rate 64000
>> ppp chap password 0 CISCO
>>
>>
>> Rick
>>
>> On 25 aug 2008, at 21:15, Mark Stephanus Chandra wrote:
>>
>>
>>> Hi Scott,
>>>
>>> Thanks for replying, the debug said PPP authorization required
>>>
>>> When I do ppp authentication chap on both router, the line protocol
>>> just
>>> came up immediately.
>>>
>>> I do this in dynamips, IOS BUG maybe ?
>>>
>>> Regards
>>>
>>> Mark Stephanus Chandra
>>>
>>>
>>> -----Original Message-----
>>> From: Scott Morris [mailto:swm@emanon.com]
>>> Sent: Tuesday, August 26, 2008 10:58 AM
>>> To: 'Mark Stephanus Chandra'; ccielab@groupstudy.com
>>> Subject: RE: Chap Authentication
>>>
>>> What does your output from "debug ppp authentication" look like?
>>>
>>> Make sure you don't have a space after CISCO.
>>>
>>> It should work just fine. The lab I'm working on today did the same
>>> thing,
>>> works great.
>>>
>>> R2 will use its hostname by default (why you need to name) and then
>>> the
>>> password you specified.
>>>
>>> HTH,
>>>
>>>
>>> Scott Morris, CCIE4 #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al.
>>> CCSI/JNCI-M/JNCI-ER
>>> Senior CCIE Instructor
>>>
>>> smorris@internetworkexpert.com
>>>
>>>
>>>
>>> Internetwork Expert, Inc.
>>> http://www.InternetworkExpert.com
>>> Toll Free: 877-224-8987
>>> Outside US: 775-826-4344
>>> Online Community: Communities are what life is all about.
>>> CCIE Blog: To avoid the filter, we don't list it, but people love it.
>>>
>>> Knowledge is power.
>>> Power corrupts.
>>> Study hard and be Eeeeviiiil......
>>>
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>>> Of Mark
>>> Stephanus Chandra
>>> Sent: Monday, August 25, 2008 11:38 PM
>>> To: ccielab@groupstudy.com
>>> Subject: Chap Authentication
>>>
>>> Dear Friends,
>>>
>>>
>>>
>>> Need Confirmation About CHAP Authentication in PPP Encapsulation.
>>>
>>>
>>>
>>> I have a lab topology R1 -----serial----------R2
>>>
>>>
>>>
>>> R1 have PPP encapsulation through R2
>>>
>>>
>>>
>>> Have A Task to do :
>>>
>>> 1. Configure R1 to challenge Chap Authentication to R2
>>>
>>> 2. R2 should respond with password CISCO
>>>
>>> 3. no username command at R2
>>>
>>>
>>>
>>> The solution provided :
>>>
>>> R1.
>>>
>>>
>>>
>>> username R2 password CISCO
>>>
>>>
>>>
>>> interface serial
>>>
>>> encapsulation PPP
>>>
>>> clockrate 64000
>>>
>>> ppp authentication CHAP
>>>
>>>
>>>
>>> R2.
>>>
>>>
>>>
>>> interface serial
>>>
>>> encapsulation PPP
>>>
>>> ppp chap password CISCO
>>>
>>>
>>>
>>> I tried the solution but it cannot make my line protocol serial goes
>>> up.
>>>
>>>
>>>
>>> My understanding about PPP Authentication CHAP so far is that we
>>> need to
>>> authenticate the router both direction. So I Think there is no way
>>> that we
>>> can get this authentication works without 'username command' on R2.
>>>
>>>
>>>
>>> Cause R1 need to authenticate also to R2 right ?
>>>
>>>
>>>
>>> But I also try this solution of mine but it doesn't work either :)
>>> Make me
>>> frustated.
>>>
>>>
>>>
>>> Can anyone help ?
>>>
>>>
>>>
>>>
>>>
>>> Thanks in advance guys
>>>
>>>
>>>
>>>
>>>
>>> Regards
>>>
>>>
>>>
>>> Mark Stephanus Chandra
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Bill Eyer: "Re: Equipments for R&S labs"
• Previous message: Ahmad Manzoor: "Re: Got the number !!!!"
• Maybe in reply to: Mark Stephanus Chandra: "Chap Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:32 ART