Re: PPP Unidirectional authentication from Joe Astorino on 2011-12-16 (Ccielab archives 12/2011)

From: Joe Astorino <joeastorino1982_at_gmail.com>
Date: Fri, 16 Dec 2011 09:54:33 -0500

I believe you need "ppp authentication chap callin" on R1 and do NOT
configure "ppp authentication" at all on R2 and here is why:

- First of all, I think we need to assume you are working with CHAP because
of the word "challenge" being used. This is talking about the CHAP
challenge that is sent by the router initiating the authentication

- "R1 should send a challenge when it is called by R2". The router
initiating authentication always sends the challenge, not the receiver.
This indicates R1 is initiating authentication after R2 calls it. The
command "ppp chap authentication callin" means "Only authenticate the other
side of this link by sending a challenge if THEY called me first." So, if
R2 calls go ahead and attempt to authenticate R2 from R1 by sending the
challenge.

- "R2 should not authenticate when it is called" - This means that when R1
calls R2, R2 should NOT issue a CHAP challenge. "ppp authentication chap"
tells the router to initiate authentication and you do NOT want that in any
circumstance here. The router will automatically respond to the CHAP
challenges from R1, you don't need anything special other than maybe the
correct username/passwords on R2.

In summary, you need "ppp authentication chap callin" on R1 if I read this
correctly. What does the solution say?

On Tue, Dec 13, 2011 at 3:39 PM, Calin C. <calin_at_engineer.com> wrote:

> Hello all,
>
> I have here a problem with PPP authentication and after reading / trying /
> debugging and trying again I'm confused. I have a task from from a
> preparation workbook that says something like:
>
> - I have a PPP connection between R1 and R2
> - R1 should send a challenge when it is called by R2
> - R2 should not authenticate when it is called
>
> The rest is not important.
>
> What I understand from here is that R2 initiate a call to R1, R1 send a
> challenge to R2. R2 must not send any challenge to R1.
> From the above phrase, I assume that the command:
>
> "ppp authentication chap callin"
>
> has to be configured on R2.
>
> Am I right or wrong?
>
> It' not about how complex is this task, but the "tricky request" makes me
> confuse :(
>
> Thanks a lot!
>
> Cheers,
> Calin
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Regards,
Joe Astorino
CCIE #24347
Blog: http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
Blogs and organic groups at http://www.ccie.net

Received on Fri Dec 16 2011 - 09:54:33 ART

This archive was generated by hypermail 2.2.0 : Sun Jan 01 2012 - 08:27:00 ART