From: CCIE expert (aronccie@gmail.com)
Date: Tue Dec 23 2008 - 15:31:55 ARST
Hey group haven't heard from anyone but I finally got this figured out,
looking at the debugs The client was responding with the password in the
global config instead of the interface level password. So it looks like when
the server sends a challenge with its username the client sees the username
and sends the password from the global config because it has pescedence over
the interface config. If we configure the server with the ppp chap hostname
command, then the server will challenge with the hostname in the interface
level config. therefore, the client will recive a challenge with from the
interface level hostname and the client wont see it in the global config and
will then use the interface level config. :)
Rack1R2(config-if)#
*Mar 1 00:12:16.971: Vi1 PPP: Using default call direction
*Mar 1 00:12:16.971: Vi1 PPP: Treating connection as a dedicated line
*Mar 1 00:12:16.975: Vi1 PPP: Session handle[3B000007] Session id[3]
*Mar 1 00:12:16.975: Vi1 PPP: Authorization required
*Mar 1 00:12:17.335: Vi1 PPP: No authorization without authentication
*Mar 1 00:12:17.515: Vi1 CHAP: I CHALLENGE id 3 len 28 from "Rack1R1"
*Mar 1 00:12:17.527: Vi1 CHAP: Using hostname from interface CHAP
*Mar 1 00:12:17.531: Vi1 CHAP: *Using password from AAA*
*Mar 1 00:12:17.531: Vi1 CHAP: O RESPONSE id 3 len 28 from "ROUTER2"
*Mar 1 00:12:17.759: Vi1 CHAP: I FAILURE id 3 len 25 msg is "Authentication
fai
On Sun, Dec 21, 2008 at 6:21 PM, CCIE expert <aronccie@gmail.com> wrote:
> Sorry I noticed I made a mistake on the description for
> "Break down one authentication at a time Rack1R1 is client Rack1R2 is the
> server for CHAP"
> should be
>
> Break down one authentication at a time Rack1R1 is server Rack1R2 is the
> client for CHAP I updated the email below
>
>
>
> On Sun, Dec 21, 2008 at 6:10 PM, CCIE expert <aronccie@gmail.com> wrote:
>
>> I tried to break up the config where I do only pap on one side and then
>> only chap on one side and it works without the ppp chap hostname. However,
>> when I put them together using the same config nothing happends unless I add
>> the ppp chap hostname to the chap server side.
>>
>> ppp chap hostname- from a servers prespective I will challenge with this
>> hostname and if client I will respond to this hostname
>>
>> cisco - "To create a pool of dialup routers that all appear to be the same
>> host when authenticating with CHAP"
>>
>> Rack1R1 <---- Server for Chap authentication and client for PAP
>> authentication
>>
>> username ROUTER2 password 0 CISCO1
>> !
>> interface Serial1/0
>> no ip address
>> encapsulation frame-relay
>> frame-relay interface-dlci 102 ppp Virtual-Template1
>> !
>> interface Virtual-Template1
>> ip address 192.168.1.1 255.255.255.0
>> ppp authentication chap
>> ppp chap hostname Rackabc <-- It should work without it, but it
>> doesn't. If I change to any value except ROUTER2 it works
>> ppp pap sent-username Rack1R1 password 0 hello
>>
>>
>> Rack1R2 <---- Server for PAP authenticaiton and Client for CHAP
>> authentication
>> username Rack1R1 password 0 hello <~~~ used for PAP this router being the
>> server
>> !
>> interface Serial1/0
>> no ip address
>> encapsulation frame-relay
>> frame-relay interface-dlci 201 ppp Virtual-Template1
>> !
>> interface Virtual-Template1
>> ip address 192.168.1.2 255.255.255.0
>> ppp authentication pap
>> ppp chap hostname ROUTER2
>> ppp chap password 0 CISCO1
>> !
>>
>> Without the ppp chap hostname on the server side
>> Virtual-Template1 192.168.1.1 YES manual
>> down down
>>
>> Virtual-Access2 192.168.1.1 YES TFTP
>> up down
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
>> .....
>>
>> With ppp chap hostname on the server side
>>
>> Rack1R1(config-if)#ppp chap hostname Anything
>> Rack1R1(config-if)#
>> *Mar 1 02:25:19.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>> Virtual-Ac
>> cess2, changed state to up
>> Rack1R1(config-if)#do ping 192.168.1.2
>>
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
>> !!!!!
>> Success rate is 100 percent (5/5), round-trip min/avg/max = 40/83/144 ms
>>
>> Break down one authentication at a time Rack1R1 is client Rack1R2 is the
>> server for PAP
>>
>> Rack1R1
>> !
>> interface Serial1/0
>> no ip address
>> encapsulation frame-relay
>> frame-relay interface-dlci 102 ppp Virtual-Template1
>> !
>> interface Virtual-Template1
>> ip address 192.168.1.1 255.255.255.0
>> ppp pap sent-username Rack1R1 password 0 hello
>>
>>
>> Rack1R2 <---- Server for PAP authenticaiton
>> username Rack1R1 password 0 hello
>> !
>> interface Serial1/0
>> no ip address
>> encapsulation frame-relay
>> frame-relay interface-dlci 201 ppp Virtual-Template1
>> !
>> interface Virtual-Template1
>> ip address 192.168.1.2 255.255.255.0
>> ppp authentication pap
>>
>> IT WORKS
>>
>> Rack1R2(config-if)#do ping 192.168.1.1
>>
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
>> !!!!!
>> Success rate is 100 percent (5/5), round-trip min/avg/max = 8/91/204 ms
>>
>>
>> Break down one authentication at a time Rack1R1 is server Rack1R2 is the
>> client for CHAP
>>
>>
>> Rack1R1 Server for Chap
>>
>> username ROUTER2 password 0 CISCO1
>> !
>> interface Serial1/0
>> no ip address
>> encapsulation frame-relay
>> frame-relay interface-dlci 102 ppp Virtual-Template1
>> !
>> interface Virtual-Template1
>> ip address 192.168.1.1 255.255.255.0
>> ppp authentication chap
>>
>>
>> Rack1R2
>> !
>> interface Serial1/0
>> no ip address
>> encapsulation frame-relay
>> frame-relay interface-dlci 201 ppp Virtual-Template1
>> !
>> interface Virtual-Template1
>> ip address 192.168.1.2 255.255.255.0
>> ppp chap hostname ROUTER2
>> ppp chap password 0 CISCO1
>>
>> IT WORKS
>> Rack1R2(config-if)#do ping 192.168.1.1
>>
>> Type escape sequence to abort.
>> Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
>> !!!!!
>> Success rate is 100 percent (5/5), round-trip min/avg/max = 32/92/260 ms
>>
>> so why doesn't it work together?
>>
>>
>> Any guidence is much appreciated.
>>
>> Aron
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:09 ARST