>From the Cisco Security Configuration Guide: "When CHAP is enabled on an interface and a remote device attempts to connect to it, the access server sends a CHAP packet to the remote device. The CHAP packet requests or "challenges" the remote device to respond. The challenge packet consists of an ID, a random number, and the host name of the local router.
When the remote device receives the challenge packet, it concatenates the ID, the remote device's password, and the random number, and then encrypts all of it using the remote device's password. The remote device sends the results back to the access server, along with the name associated with the password used in the encryption process. When the access server receives the response, it uses the name it received to retrieve a password stored in its user database. The retrieved password should be the same password the remote device used in its encryption process. The access server then encrypts the concatenated information with the newly retrieved password-if the result matches the result sent in the response packet, authentication succeeds." Both routers authenticate each other; it's not just a one-way authentication. So, Router2 would send its name, ID, and random number to Router 3. Router3 NEEDS a "username Router2" entry so that it can encrypt the response. It uses the password to encrypt, and then sends the response back to Router2. Router2 then NEEDS a "username Router2" to check to make sure that Router3 had the right password. Then, Router3 sends its ID, random number, and hostname to Router2. Router2 NEEDS a "username Router3" entry to encrypt the packet and send it back to Router3. Router3 then NEEDS a "username Router3" to check to make sure that Router2 used the correct password to encrypt the data. I don't see how you can get away with only providing one username on each router. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -----Original Message----- From: Kenneth [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2003 12:10 PM To: [EMAIL PROTECTED] Subject: PPP authentication [7:74551] Hiyah everyone, I have two routers, Router2 and Router3, one a 2500 and the other a 2600. Configuring CHAP on the link, I just need (supposedly) to include these lines on the global config Router2(config)# username Router3 password abc Router3(config)# username Router2 password abc And apply "ppp auth chap" to the interfaces. However, when doing this, the link becomes more of a flapping link, and, running "debug ppp auth", there is no authentication success. However, if I were to do this: Router2(config)# username Router3 password abc Router2(config)# username Router2 password abc Router3(config)# username Router2 password abc Router3(config)# username Router3 password abc and apply CHAP on the respective interfaces, the link just comes up! >From the various sources that I checked, the former implementation would've worked, but in my case, the latter works, not the former. I'm wondering whether this is due to IOS version issues or not. I'm not in the office now, so I can't check the versions atm. Any comments on this matter would be appreciated. Thanks. Kenneth **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74671&t=74551 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html