Re: CHAP authentication direction

From: joe_astorino@comcast.net
Date: Mon Mar 09 2009 - 00:37:17 ARST

I'd be anxious to hear other responses to this, but from looking at the command-reference it seems to me that "ppp chap wait" would be the best choice. Looking at "ppp direction callin" , it does say that " If doing bidirectional authentication, PPP will wait to send its authentication credentials to the peer " but it does not specifiy that it will wait until the other side has authenticated. On the other hand "ppp chap wait" specifically says that it will wait until the other side has authenticated.

- Joe
----- Original Message -----
From: "naveen M S" <navin.ms@gmail.com>
To: "Cisco certification" <ccielab@groupstudy.com>
Sent: Sunday, March 8, 2009 8:31:28 PM GMT -05:00 US/Canada Eastern
Subject: CHAP authentication direction

Group,

I am confused on the ppp chap commands used for authentication. Search for
archives, but didn't find what I am looking for.

*Here is my lab task:*

- Configure PPP CHAP authentication b/n R4 and R5 using password CISCO
- Configure R4 so that it will not respond to a CHAP authentication request
before R5 has been successfully authenticated.

From the Doc CD, the "ppp chap wait" on R4 should have accomplished this
goal, but the solution uses "ppp direction callin" on R4 and "ppp direction
callout" on R5.
Can someone please explain the difference b/n "ppp chap wait" and "ppp
direction callin" and in what context each is used ?

Here are the results of some variations of these commands.

R4

interface Serial0/0/1
ip address 149.1.45.4 255.255.255.0
encapsulation ppp
clock rate 2016000
ppp authentication chap
ppp chap hostname Rack1R4
ppp chap password 0 CISCO

R5

interface Serial0/0/1
ip address 149.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname Rack1R5
ppp chap password 0 CISCO

result of shut and no shut on R5
================================

*Mar 6 03:16:06.476: Se0/0/1 PPP: Using default call direction
*Mar 6 03:16:06.476: Se0/0/1 PPP: Treating connection as a dedicated line
*Mar 6 03:16:06.476: Se0/0/1 PPP: Session handle[300000F] Session id[20]
*Mar 6 03:16:06.476: Se0/0/1 PPP: Authorization required
*Mar 6 03:16:06.480: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state
to up
*Mar 6 03:16:06.480: Se0/0/1 CHAP: O CHALLENGE id 21 len 28 from "Rack1R4"
*Mar 6 03:16:06.480: Se0/0/1 CHAP: I CHALLENGE id 18 len 28 from "Rack1R5"
*Mar 6 03:16:06.480: Se0/0/1 CHAP: Using hostname from interface CHAP
*Mar 6 03:16:06.480: Se0/0/1 CHAP: Using password from AAA
*Mar 6 03:16:06.480: Se0/0/1 CHAP: O RESPONSE id 18 len 28 from "Rack1R4"
*Mar 6 03:16:06.480: Se0/0/1 CHAP: I RESPONSE id 21 len 28 from "Rack1R5"
*Mar 6 03:16:06.480: Se0/0/1 PPP: Sent CHAP LOGIN Request
*Mar 6 03:16:06.480: Se0/0/1 PPP: Received LOGIN Response PASS
*Mar 6 03:16:06.480: Se0/0/1 PPP: Sent LCP AUTHOR Request
*Mar 6 03:16:06.480: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:16:06.480: Se0/0/1 CHAP: I SUCCESS id 18 len 4
*Mar 6 03:16:06.480: Se0/0/1 LCP: Received AAA AUTHOR Response PASS
*Mar 6 03:16:06.480: Se0/0/1 IPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:16:06.480: Se0/0/1 CHAP: O SUCCESS id 21 len 4
*Mar 6 03:16:06.480: Se0/0/1 PPP: Sent CDPCP AUTHOR Request
*Mar 6 03:16:06.480: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:16:06.480: Se0/0/1 CDPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:16:07.480: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/1, changed state to up

R4 : configured "ppp chap wait" on R4 but "show run" didn't show that.

interface Serial0/0/1
ip address 149.1.45.4 255.255.255.0
encapsulation ppp
clock rate 2016000
ppp authentication chap
ppp chap hostname Rack1R4
ppp chap password 0 CISCO

R5

interface Serial0/0/1
ip address 149.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname Rack1R5
ppp chap password 0 CISCO

result of shut and no shut on R5
================================

*Mar 6 03:18:12.816: Se0/0/1 PPP: Using default call direction
*Mar 6 03:18:12.816: Se0/0/1 PPP: Treating connection as a dedicated line
*Mar 6 03:18:12.816: Se0/0/1 PPP: Session handle[63000010] Session id[21]
*Mar 6 03:18:12.816: Se0/0/1 PPP: Authorization required
*Mar 6 03:18:12.816: Se0/0/1 CHAP: O CHALLENGE id 22 len 28 from "Rack1R4"
*Mar 6 03:18:12.816: Se0/0/1 CHAP: I CHALLENGE id 19 len 28 from "Rack1R5"
*Mar 6 03:18:12.816: Se0/0/1 CHAP: Using hostname from interface CHAP
*Mar 6 03:18:12.816: Se0/0/1 CHAP: Using password from AAA
*Mar 6 03:18:12.816: Se0/0/1 CHAP: O RESPONSE id 19 len 28 from "Rack1R4"
*Mar 6 03:18:12.816: Se0/0/1 CHAP: I RESPONSE id 22 len 28 from "Rack1R5"
*Mar 6 03:18:12.816: Se0/0/1 PPP: Sent CHAP LOGIN Request
*Mar 6 03:18:12.816: Se0/0/1 PPP: Received LOGIN Response PASS
*Mar 6 03:18:12.816: Se0/0/1 PPP: Sent LCP AUTHOR Request
*Mar 6 03:18:12.816: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:18:12.816: Se0/0/1 CHAP: I SUCCESS id 19 len 4
*Mar 6 03:18:12.816: Se0/0/1 LCP: Received AAA AUTHOR Response PASS
*Mar 6 03:18:12.816: Se0/0/1 IPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:18:12.816: Se0/0/1 CHAP: O SUCCESS id 22 len 4
*Mar 6 03:18:12.816: Se0/0/1 PPP: Sent CDPCP AUTHOR Request
*Mar 6 03:18:12.816: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:18:12.816: Se0/0/1 CDPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:18:12.820: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state
to up
*Mar 6 03:18:13.820: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/1, changed state to up

R4

interface Serial0/0/1
ip address 149.1.45.4 255.255.255.0
encapsulation ppp
clock rate 2016000
ppp authentication chap
ppp chap hostname Rack1R4
ppp chap password 0 CISCO
ppp direction callin

R5

interface Serial0/0/1
ip address 149.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname Rack1R5
ppp chap password 0 CISCO
ppp direction callout

result of shut and no shut on R5
================================

*Mar 6 03:26:33.516: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state
to up
*Mar 6 03:26:33.516: Se0/0/1 PPP: Using configured call direction
*Mar 6 03:26:33.516: Se0/0/1 PPP: Treating connection as a callin
*Mar 6 03:26:33.516: Se0/0/1 PPP: Session handle[7A000011] Session id[23]
*Mar 6 03:26:33.516: Se0/0/1 PPP: Authorization required
*Mar 6 03:26:33.516: Se0/0/1 CHAP: O CHALLENGE id 23 len 28 from "Rack1R4"
*Mar 6 03:26:33.516: Se0/0/1 CHAP: I CHALLENGE id 20 len 28 from "Rack1R5"
**Mar 6 03:26:33.516: Se0/0/1 CHAP: Waiting for Peer to authenticate first*
*Mar 6 03:26:33.516: Se0/0/1 CHAP: I RESPONSE id 23 len 28 from "Rack1R5"
*Mar 6 03:26:33.516: Se0/0/1 PPP: Sent CHAP LOGIN Request
*Mar 6 03:26:33.516: Se0/0/1 PPP: Received LOGIN Response PASS
*Mar 6 03:26:33.516: Se0/0/1 PPP: Sent LCP AUTHOR Request
*Mar 6 03:26:33.520: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:26:33.520: Se0/0/1 CHAP: Using hostname from interface CHAP
*Mar 6 03:26:33.520: Se0/0/1 CHAP: Using password from AAA
*Mar 6 03:26:33.520: Se0/0/1 CHAP: O RESPONSE id 20 len 28 from "Rack1R4"
*Mar 6 03:26:33.520: Se0/0/1 LCP: Received AAA AUTHOR Response PASS
*Mar 6 03:26:33.520: Se0/0/1 IPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:26:33.520: Se0/0/1 CHAP: O SUCCESS id 23 len 4
*Mar 6 03:26:33.520: Se0/0/1 CHAP: I SUCCESS id 20 len 4
*Mar 6 03:26:33.520: Se0/0/1 PPP: Sent CDPCP AUTHOR Request
*Mar 6 03:26:33.520: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:26:33.520: Se0/0/1 CDPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:26:34.520: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/1, changed state to up

R4

interface Serial0/0/1
ip address 149.1.45.4 255.255.255.0
encapsulation ppp
clock rate 2016000
ppp authentication chap callin
ppp chap hostname Rack1R4
ppp chap password 0 CISCO

R5

interface Serial0/0/1
ip address 149.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap callout
ppp chap hostname Rack1R5
ppp chap password 0 CISCO

result of shut and no shut on R5
================================

*Mar 6 03:29:16.352: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state
to up
*Mar 6 03:29:16.352: Se0/0/1 PPP: Using default call direction
*Mar 6 03:29:16.352: Se0/0/1 PPP: Treating connection as a dedicated line
*Mar 6 03:29:16.352: Se0/0/1 PPP: Session handle[E4000012] Session id[24]
*Mar 6 03:29:16.352: Se0/0/1 PPP: Authorization required
*Mar 6 03:29:16.352: Se0/0/1 CHAP: O CHALLENGE id 24 len 28 from "Rack1R4"
*Mar 6 03:29:16.352: Se0/0/1 CHAP: I CHALLENGE id 21 len 28 from "Rack1R5"
*Mar 6 03:29:16.352: Se0/0/1 CHAP: Using hostname from interface CHAP
*Mar 6 03:29:16.352: Se0/0/1 CHAP: Using password from AAA
*Mar 6 03:29:16.352: Se0/0/1 CHAP: O RESPONSE id 21 len 28 from "Rack1R4"
*Mar 6 03:29:16.352: Se0/0/1 CHAP: I RESPONSE id 24 len 28 from "Rack1R5"
*Mar 6 03:29:16.352: Se0/0/1 PPP: Sent CHAP LOGIN Request
*Mar 6 03:29:16.352: Se0/0/1 PPP: Received LOGIN Response PASS
*Mar 6 03:29:16.352: Se0/0/1 PPP: Sent LCP AUTHOR Request
*Mar 6 03:29:16.352: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:29:16.352: Se0/0/1 CHAP: I SUCCESS id 21 len 4
*Mar 6 03:29:16.352: Se0/0/1 LCP: Received AAA AUTHOR Response PASS
*Mar 6 03:29:16.352: Se0/0/1 IPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:29:16.352: Se0/0/1 CHAP: O SUCCESS id 24 len 4
*Mar 6 03:29:16.356: Se0/0/1 PPP: Sent CDPCP AUTHOR Request
*Mar 6 03:29:16.356: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:29:16.356: Se0/0/1 CDPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:29:17.352: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/1, changed state to up

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:04 ART