RE: CHAP authentication direction

From: Lloyd Ardoin (Lloyd@TheWizKid.biz)
Date: Mon Mar 09 2009 - 12:19:00 ARST

• Next message: Scott Morris: "RE: OSPF distribute list - Lab study"
• Previous message: joe_astorino@comcast.net: "Re: OT :-) Top Signs u have sat the lab too many times"
• Maybe in reply to: naveen M S: "CHAP authentication direction"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I did lab this up and watched the debug output. My findings were that when I
entered the ppp chap wait command and did a show run the command was not
listed which implies that is the default and the authentication process looked
normal to me, meaning there was no indication that R4 was waiting on anything.
When I configured R4 with the ppp direction callin the debug output
specifically listed the word 'passive' and it also included output that itis
was waiting for R5 to authenticate. So based on the results I got the correct
solution was the stated solution.

Lloyd

From: joe_astorino@comcast.net
Sent: Sun 3/8/2009 9:37 PM
To: naveen M S
Cc: Cisco certification
Subject: Re: CHAP authentication direction

I'd be anxious to hear other responses to this, but from looking at the
command-reference it seems to me that "ppp chap wait" would be the best
choice. Looking at "ppp direction callin" , it does say that " If doing
bidirectional authentication, PPP will wait to send its authentication
credentials to the peer " but it does not specifiy that it will wait until the
other side has authenticated. On the other hand "ppp chap wait" specifically
says that it will wait until the other side has authenticated.

- Joe
----- Original Message -----
From: "naveen M S" <navin.ms@gmail.com>
To: "Cisco certification" <ccielab@groupstudy.com>
Sent: Sunday, March 8, 2009 8:31:28 PM GMT -05:00 US/Canada Eastern
Subject: CHAP authentication direction

Group,

I am confused on the ppp chap commands used for authentication. Search for
archives, but didn't find what I am looking for.

*Here is my lab task:*

- Configure PPP CHAP authentication b/n R4 and R5 using password CISCO
- Configure R4 so that it will not respond to a CHAP authentication request
before R5 has been successfully authenticated.

From the Doc CD, the "ppp chap wait" on R4 should have accomplished this
goal, but the solution uses "ppp direction callin" on R4 and "ppp direction
callout" on R5.
Can someone please explain the difference b/n "ppp chap wait" and "ppp
direction callin" and in what context each is used ?

Here are the results of some variations of these commands.

R4

interface Serial0/0/1
ip address 149.1.45.4 255.255.255.0
encapsulation ppp
clock rate 2016000
ppp authentication chap
ppp chap hostname Rack1R4
ppp chap password 0 CISCO

R5

interface Serial0/0/1
ip address 149.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname Rack1R5
ppp chap password 0 CISCO

result of shut and no shut on R5
================================

*Mar 6 03:16:06.476: Se0/0/1 PPP: Using default call direction
*Mar 6 03:16:06.476: Se0/0/1 PPP: Treating connection as a dedicated line
*Mar 6 03:16:06.476: Se0/0/1 PPP: Session handle[300000F] Session id[20]
*Mar 6 03:16:06.476: Se0/0/1 PPP: Authorization required
*Mar 6 03:16:06.480: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state
to up
*Mar 6 03:16:06.480: Se0/0/1 CHAP: O CHALLENGE id 21 len 28 from "Rack1R4"
*Mar 6 03:16:06.480: Se0/0/1 CHAP: I CHALLENGE id 18 len 28 from "Rack1R5"
*Mar 6 03:16:06.480: Se0/0/1 CHAP: Using hostname from interface CHAP
*Mar 6 03:16:06.480: Se0/0/1 CHAP: Using password from AAA
*Mar 6 03:16:06.480: Se0/0/1 CHAP: O RESPONSE id 18 len 28 from "Rack1R4"
*Mar 6 03:16:06.480: Se0/0/1 CHAP: I RESPONSE id 21 len 28 from "Rack1R5"
*Mar 6 03:16:06.480: Se0/0/1 PPP: Sent CHAP LOGIN Request
*Mar 6 03:16:06.480: Se0/0/1 PPP: Received LOGIN Response PASS
*Mar 6 03:16:06.480: Se0/0/1 PPP: Sent LCP AUTHOR Request
*Mar 6 03:16:06.480: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:16:06.480: Se0/0/1 CHAP: I SUCCESS id 18 len 4
*Mar 6 03:16:06.480: Se0/0/1 LCP: Received AAA AUTHOR Response PASS
*Mar 6 03:16:06.480: Se0/0/1 IPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:16:06.480: Se0/0/1 CHAP: O SUCCESS id 21 len 4
*Mar 6 03:16:06.480: Se0/0/1 PPP: Sent CDPCP AUTHOR Request
*Mar 6 03:16:06.480: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:16:06.480: Se0/0/1 CDPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:16:07.480: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/1, changed state to up

R4 : configured "ppp chap wait" on R4 but "show run" didn't show that.

interface Serial0/0/1
ip address 149.1.45.4 255.255.255.0
encapsulation ppp
clock rate 2016000
ppp authentication chap
ppp chap hostname Rack1R4
ppp chap password 0 CISCO

R5

interface Serial0/0/1
ip address 149.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname Rack1R5
ppp chap password 0 CISCO

result of shut and no shut on R5
================================

*Mar 6 03:18:12.816: Se0/0/1 PPP: Using default call direction
*Mar 6 03:18:12.816: Se0/0/1 PPP: Treating connection as a dedicated line
*Mar 6 03:18:12.816: Se0/0/1 PPP: Session handle[63000010] Session id[21]
*Mar 6 03:18:12.816: Se0/0/1 PPP: Authorization required
*Mar 6 03:18:12.816: Se0/0/1 CHAP: O CHALLENGE id 22 len 28 from "Rack1R4"
*Mar 6 03:18:12.816: Se0/0/1 CHAP: I CHALLENGE id 19 len 28 from "Rack1R5"
*Mar 6 03:18:12.816: Se0/0/1 CHAP: Using hostname from interface CHAP
*Mar 6 03:18:12.816: Se0/0/1 CHAP: Using password from AAA
*Mar 6 03:18:12.816: Se0/0/1 CHAP: O RESPONSE id 19 len 28 from "Rack1R4"
*Mar 6 03:18:12.816: Se0/0/1 CHAP: I RESPONSE id 22 len 28 from "Rack1R5"
*Mar 6 03:18:12.816: Se0/0/1 PPP: Sent CHAP LOGIN Request
*Mar 6 03:18:12.816: Se0/0/1 PPP: Received LOGIN Response PASS
*Mar 6 03:18:12.816: Se0/0/1 PPP: Sent LCP AUTHOR Request
*Mar 6 03:18:12.816: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:18:12.816: Se0/0/1 CHAP: I SUCCESS id 19 len 4
*Mar 6 03:18:12.816: Se0/0/1 LCP: Received AAA AUTHOR Response PASS
*Mar 6 03:18:12.816: Se0/0/1 IPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:18:12.816: Se0/0/1 CHAP: O SUCCESS id 22 len 4
*Mar 6 03:18:12.816: Se0/0/1 PPP: Sent CDPCP AUTHOR Request
*Mar 6 03:18:12.816: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:18:12.816: Se0/0/1 CDPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:18:12.820: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state
to up
*Mar 6 03:18:13.820: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/1, changed state to up

R4

interface Serial0/0/1
ip address 149.1.45.4 255.255.255.0
encapsulation ppp
clock rate 2016000
ppp authentication chap
ppp chap hostname Rack1R4
ppp chap password 0 CISCO
ppp direction callin

R5

interface Serial0/0/1
ip address 149.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap
ppp chap hostname Rack1R5
ppp chap password 0 CISCO
ppp direction callout

result of shut and no shut on R5
================================

*Mar 6 03:26:33.516: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state
to up
*Mar 6 03:26:33.516: Se0/0/1 PPP: Using configured call direction
*Mar 6 03:26:33.516: Se0/0/1 PPP: Treating connection as a callin
*Mar 6 03:26:33.516: Se0/0/1 PPP: Session handle[7A000011] Session id[23]
*Mar 6 03:26:33.516: Se0/0/1 PPP: Authorization required
*Mar 6 03:26:33.516: Se0/0/1 CHAP: O CHALLENGE id 23 len 28 from "Rack1R4"
*Mar 6 03:26:33.516: Se0/0/1 CHAP: I CHALLENGE id 20 len 28 from "Rack1R5"
**Mar 6 03:26:33.516: Se0/0/1 CHAP: Waiting for Peer to authenticate first*
*Mar 6 03:26:33.516: Se0/0/1 CHAP: I RESPONSE id 23 len 28 from "Rack1R5"
*Mar 6 03:26:33.516: Se0/0/1 PPP: Sent CHAP LOGIN Request
*Mar 6 03:26:33.516: Se0/0/1 PPP: Received LOGIN Response PASS
*Mar 6 03:26:33.516: Se0/0/1 PPP: Sent LCP AUTHOR Request
*Mar 6 03:26:33.520: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:26:33.520: Se0/0/1 CHAP: Using hostname from interface CHAP
*Mar 6 03:26:33.520: Se0/0/1 CHAP: Using password from AAA
*Mar 6 03:26:33.520: Se0/0/1 CHAP: O RESPONSE id 20 len 28 from "Rack1R4"
*Mar 6 03:26:33.520: Se0/0/1 LCP: Received AAA AUTHOR Response PASS
*Mar 6 03:26:33.520: Se0/0/1 IPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:26:33.520: Se0/0/1 CHAP: O SUCCESS id 23 len 4
*Mar 6 03:26:33.520: Se0/0/1 CHAP: I SUCCESS id 20 len 4
*Mar 6 03:26:33.520: Se0/0/1 PPP: Sent CDPCP AUTHOR Request
*Mar 6 03:26:33.520: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:26:33.520: Se0/0/1 CDPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:26:34.520: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/1, changed state to up

R4

interface Serial0/0/1
ip address 149.1.45.4 255.255.255.0
encapsulation ppp
clock rate 2016000
ppp authentication chap callin
ppp chap hostname Rack1R4
ppp chap password 0 CISCO

R5

interface Serial0/0/1
ip address 149.1.45.5 255.255.255.0
encapsulation ppp
ppp authentication chap callout
ppp chap hostname Rack1R5
ppp chap password 0 CISCO

result of shut and no shut on R5
================================

*Mar 6 03:29:16.352: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state
to up
*Mar 6 03:29:16.352: Se0/0/1 PPP: Using default call direction
*Mar 6 03:29:16.352: Se0/0/1 PPP: Treating connection as a dedicated line
*Mar 6 03:29:16.352: Se0/0/1 PPP: Session handle[E4000012] Session id[24]
*Mar 6 03:29:16.352: Se0/0/1 PPP: Authorization required
*Mar 6 03:29:16.352: Se0/0/1 CHAP: O CHALLENGE id 24 len 28 from "Rack1R4"
*Mar 6 03:29:16.352: Se0/0/1 CHAP: I CHALLENGE id 21 len 28 from "Rack1R5"
*Mar 6 03:29:16.352: Se0/0/1 CHAP: Using hostname from interface CHAP
*Mar 6 03:29:16.352: Se0/0/1 CHAP: Using password from AAA
*Mar 6 03:29:16.352: Se0/0/1 CHAP: O RESPONSE id 21 len 28 from "Rack1R4"
*Mar 6 03:29:16.352: Se0/0/1 CHAP: I RESPONSE id 24 len 28 from "Rack1R5"
*Mar 6 03:29:16.352: Se0/0/1 PPP: Sent CHAP LOGIN Request
*Mar 6 03:29:16.352: Se0/0/1 PPP: Received LOGIN Response PASS
*Mar 6 03:29:16.352: Se0/0/1 PPP: Sent LCP AUTHOR Request
*Mar 6 03:29:16.352: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:29:16.352: Se0/0/1 CHAP: I SUCCESS id 21 len 4
*Mar 6 03:29:16.352: Se0/0/1 LCP: Received AAA AUTHOR Response PASS
*Mar 6 03:29:16.352: Se0/0/1 IPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:29:16.352: Se0/0/1 CHAP: O SUCCESS id 24 len 4
*Mar 6 03:29:16.356: Se0/0/1 PPP: Sent CDPCP AUTHOR Request
*Mar 6 03:29:16.356: Se0/0/1 PPP: Sent IPCP AUTHOR Request
*Mar 6 03:29:16.356: Se0/0/1 CDPCP: Received AAA AUTHOR Response PASS
*Mar 6 03:29:17.352: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/1, changed state to up

Blogs and organic groups at http://www.ccie.net

• Next message: Scott Morris: "RE: OSPF distribute list - Lab study"
• Previous message: joe_astorino@comcast.net: "Re: OT :-) Top Signs u have sat the lab too many times"
• Maybe in reply to: naveen M S: "CHAP authentication direction"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:04 ART