>From the Cisco Security Configuration Guide:
"When CHAP is enabled on an interface and a remote device attempts to
connect to it, the access server sends a CHAP packet to the remote device.
The CHAP packet requests or "challenges" the remote device to respond. The
challenge packet consists of an ID, a random number, and the host name of
the local router.
When the remote device receives the challenge packet, it concatenates the
ID, the remote device's password, and the random number, and then encrypts
all of it using the remote device's password. The remote device sends the
results back to the access server, along with the name associated with the
password used in the encryption process.
When the access server receives the response, it uses the name it received
to retrieve a password stored in its user database. The retrieved password
should be the same password the remote device used in its encryption
process. The access server then encrypts the concatenated information with
the newly retrieved password-if the result matches the result sent in the
response packet, authentication succeeds."
Both routers authenticate each other; it's not just a one-way
authentication. So, Router2 would send its name, ID, and random number to
Router 3. Router3 NEEDS a "username Router2" entry so that it can encrypt
the response. It uses the password to encrypt, and then sends the response
back to Router2. Router2 then NEEDS a "username Router2" to check to make
sure that Router3 had the right password. Then, Router3 sends its ID,
random number, and hostname to Router2. Router2 NEEDS a "username Router3"
entry to encrypt the packet and send it back to Router3. Router3 then NEEDS
a "username Router3" to check to make sure that Router2 used the correct
password to encrypt the data.
I don't see how you can get away with only providing one username on each
router.
Fred Reimer - CCNA
Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050
NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.
-Original Message-
From: Kenneth [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 02, 2003 12:10 PM
To: [EMAIL PROTECTED]
Subject: PPP authentication [7:74551]
Hiyah everyone,
I have two routers, Router2 and Router3, one a 2500 and the other a 2600.
Configuring CHAP on the link, I just need (supposedly) to include these
lines on the global config
Router2(config)# username Router3 password abc
Router3(config)# username Router2 password abc
And apply "ppp auth chap" to the interfaces. However, when doing this, the
link becomes more of a flapping link, and, running "debug ppp auth", there
is no authentication success.
However, if I were to do this:
Router2(config)# username Router3 password abc
Router2(config)# username Router2 password abc
Router3(config)# username Router2 password abc
Router3(config)# username Router3 password abc
and apply CHAP on the respective interfaces, the link just comes up!
>From the various sources that I checked, the former implementation would've
worked, but in my case, the latter works, not the former. I'm wondering
whether this is due to IOS version issues or not. I'm not in the office now,
so I can't check the versions atm.
Any comments on this matter would be appreciated. Thanks.
Kenneth
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74671&t=74551
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html