""Magondo, Michael""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Russell
>
> Are you saying that CHAP is not capable of one way authentication?? And
> to do this one has to use PAP???

Almost, but not quite...  CHAP can operate in 2 modes, if you use "ppp
authentication chap" then your router will issue CHAP challenges both on
dial in and dial out, on the other hand you can use "ppp authentication chap
callin" which will only issue challenges to a device that calls in, and
won't issue challenges when the port is used to dial out.

However, the authentication in both these cases is a 2 way process...  one
router issues a challenge, the other router responds with a cryptographic
hash generated from the shared secret and the challenger checks this against
it's database to check that the response is as expected.

Reading over my previous email I wasn't particularly clear on this...  I
probably should have just said that both routers need a username entry in
the local login database (or TAC+/Radius) to authenticate with each other,
as even when CHAP is configured for one way authentication, it is still a 2
way process.

Take a look at this CCO page for a diagram illustrating the CHAP
authentication process...

 http://www.cisco.com/warp/public/131/ppp_callin_hostname.html

Hopefully this response is more accurate than my earlier one :)

--
Russell Heilling
http://www.ccie.org.uk/

> Michael
>
> -----Original Message-----
> From: Russell Heilling [mailto:[EMAIL PROTECTED]]
> Sent: 27 September 2002 12:10 PM
> To: [EMAIL PROTECTED]
> Subject: Re: chap authentication LONG !!! [7:54234]
>
> ""Arni V. Skarphedinsson""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Do I have to have the hostname of each router in each other, if I am
> calling
> > an ISP I just get a username and password, that I send the ISP router,
> I
> > dont get any hostname or password to put in my router to authenticate
> the
> > ISP router
> >
> > Or do I ????
>
> What you are describing is what happens in PAP authentication (as used
> with
> most single user dial ISP accounts), with CHAP *both* routers need to
> authenticate with each other, so you will need to put the username and
> password for the ISP router into your config.
>
> In CHAP the password is never sent across the link, the authentication
> relies on both ends having the same password and using it to generate
> and
> verify cryptographic hashes that can be sent across the link without the
> risk of giving the password away to anyone snooping on the line. As the
> password is the same at each end... You should use the same password for
> the
> entry in the local users database as you have configured for your end of
> the
> link.
>
> Hope this helps clear it up...
>
> --
> Russell Heilling
> http://www.ccie.org.uk/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54318&t=54234
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to