Re: chap authentication LONG !!! [7:54234]
""Magondo, Michael"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Russell > > Are you saying that CHAP is not capable of one way authentication?? And > to do this one has to use PAP??? Almost, but not quite... CHAP can operate in 2 modes, if you use "ppp authentication chap" then your router will issue CHAP challenges both on dial in and dial out, on the other hand you can use "ppp authentication chap callin" which will only issue challenges to a device that calls in, and won't issue challenges when the port is used to dial out. However, the authentication in both these cases is a 2 way process... one router issues a challenge, the other router responds with a cryptographic hash generated from the shared secret and the challenger checks this against it's database to check that the response is as expected. Reading over my previous email I wasn't particularly clear on this... I probably should have just said that both routers need a username entry in the local login database (or TAC+/Radius) to authenticate with each other, as even when CHAP is configured for one way authentication, it is still a 2 way process. Take a look at this CCO page for a diagram illustrating the CHAP authentication process... http://www.cisco.com/warp/public/131/ppp_callin_hostname.html Hopefully this response is more accurate than my earlier one :) -- Russell Heilling http://www.ccie.org.uk/ > Michael > > -Original Message- > From: Russell Heilling [mailto:[EMAIL PROTECTED]] > Sent: 27 September 2002 12:10 PM > To: [EMAIL PROTECTED] > Subject: Re: chap authentication LONG !!! [7:54234] > > ""Arni V. Skarphedinsson"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Do I have to have the hostname of each router in each other, if I am > calling > > an ISP I just get a username and password, that I send the ISP router, > I > > dont get any hostname or password to put in my router to authenticate > the > > ISP router > > > > Or do I > > What you are describing is what happens in PAP authentication (as used > with > most single user dial ISP accounts), with CHAP *both* routers need to > authenticate with each other, so you will need to put the username and > password for the ISP router into your config. > > In CHAP the password is never sent across the link, the authentication > relies on both ends having the same password and using it to generate > and > verify cryptographic hashes that can be sent across the link without the > risk of giving the password away to anyone snooping on the line. As the > password is the same at each end... You should use the same password for > the > entry in the local users database as you have configured for your end of > the > link. > > Hope this helps clear it up... > > -- > Russell Heilling > http://www.ccie.org.uk/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54318&t=54234 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: chap authentication LONG !!! [7:54234]
Russell Are you saying that CHAP is not capable of one way authentication?? And to do this one has to use PAP??? Michael -Original Message- From: Russell Heilling [mailto:[EMAIL PROTECTED]] Sent: 27 September 2002 12:10 PM To: [EMAIL PROTECTED] Subject: Re: chap authentication LONG !!! [7:54234] ""Arni V. Skarphedinsson"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Do I have to have the hostname of each router in each other, if I am calling > an ISP I just get a username and password, that I send the ISP router, I > dont get any hostname or password to put in my router to authenticate the > ISP router > > Or do I What you are describing is what happens in PAP authentication (as used with most single user dial ISP accounts), with CHAP *both* routers need to authenticate with each other, so you will need to put the username and password for the ISP router into your config. In CHAP the password is never sent across the link, the authentication relies on both ends having the same password and using it to generate and verify cryptographic hashes that can be sent across the link without the risk of giving the password away to anyone snooping on the line. As the password is the same at each end... You should use the same password for the entry in the local users database as you have configured for your end of the link. Hope this helps clear it up... -- Russell Heilling http://www.ccie.org.uk/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54316&t=54234 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: chap authentication LONG !!! [7:54234]
Ok I have tested this and got it to work with out the dual usernames on bouth router, as I was talking about in the previous post but that still leves my orginal question, and if any one can see anything from the debug, that would be great. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54315&t=54234 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: chap authentication LONG !!! [7:54234]
Ok thanx for the explanation to get this 100% I just have one more question If I am calling an ISP Router 1 has in its config dialer 0 ppp authentication chap calli ppp chap hostname bla ppp chap password bla1 and that works to authenticate to the ISP router, but as chap is two way, do I also have to have a username ISPROUTER password some other password my ISP tells my in my config for the ISP router to authenticate back to me, as chap is two way, must I use it like this thanx for all the information Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54313&t=54234 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: chap authentication LONG !!! [7:54234]
""Arni V. Skarphedinsson"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Do I have to have the hostname of each router in each other, if I am calling > an ISP I just get a username and password, that I send the ISP router, I > dont get any hostname or password to put in my router to authenticate the > ISP router > > Or do I What you are describing is what happens in PAP authentication (as used with most single user dial ISP accounts), with CHAP *both* routers need to authenticate with each other, so you will need to put the username and password for the ISP router into your config. In CHAP the password is never sent across the link, the authentication relies on both ends having the same password and using it to generate and verify cryptographic hashes that can be sent across the link without the risk of giving the password away to anyone snooping on the line. As the password is the same at each end... You should use the same password for the entry in the local users database as you have configured for your end of the link. Hope this helps clear it up... -- Russell Heilling http://www.ccie.org.uk/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54310&t=54234 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: chap authentication LONG !!! [7:54234]
Do I have to have the hostname of each router in each other, if I am calling an ISP I just get a username and password, that I send the ISP router, I dont get any hostname or password to put in my router to authenticate the ISP router Or do I Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54308&t=54234 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: chap authentication LONG !!! [7:54234]
I just spent a second reading the debug... did you put the hostname of each router in the other and use the same password? In reference to: > 00:03:55: BR0:1 CHAP: Username jal-3660 not found Also verify that multilink and ppp authentication chap are set in both. - Original Message - From: "Arni V. Skarphedinsson" To: Sent: Thursday, September 26, 2002 9:53 AM Subject: chap authentication LONG !!! [7:54234] > Well I have some more chap authentication issues, and if someone can give me > any pointers that would be great, > > I have two routers > a 1003 who is calling an 3660 over ISDN > > this is the debug from the 100300:03:54: %LINK-3-UPDOWN: Interface BRI0:1, > changed state to up > 00:03:55: %DIALER-6-BIND: Interface BRI0:1 bound to profile Dialer0 > 00:03:55: BR0:1 PPP: Treating connection as a callout > 00:03:55: BR0:1 PPP: Phase is ESTABLISHING, Active Open > 00:03:55: BR0:1 LCP: O CONFREQ [Closed] id 16 len 10 > 00:03:55: BR0:1 LCP:MagicNumber 0x6073F820 (0x05066073F820) > 00:03:55: BR0:1 LCP: I CONFREQ [REQsent] id 25 len 15 > 00:03:55: BR0:1 LCP:AuthProto CHAP (0x0305C22305) > 00:03:55: BR0:1 LCP:MagicNumbe.r 0x2F591151 (0x05062F591151) > 00:03:55: BR0:1 LCP: O CONFACK [REQsent] id 25 len 15 > 00:03:55: BR0:1 LCP:AuthProto CHAP (0x0305C22305) > 00:03:55: BR0:1 LCP:MagicNumber 0x2F591151 (0x05062F591151) > 00:03:55: BR0:1 LCP: I CONFACK [ACKsent] id 16 len 10 > 00:03:55: BR0:1 LCP:MagicNumber 0x6073F820 (0x05066073F820) > 00:03:55: BR0:1 LCP: State is Open > 00:03:55: BR0:1 PPP: Phase is AUTHENTICATING, by the peer > 00:03:55: BR0:1 CHAP: I CHALLENGE id 41 len 30 from "jal-3660" > 00:03:55: BR0:1 CHAP: Using hostname test-2001 from interface Di0 > 00:03:55: BR0:1 CHAP: Username jal-3660 not found > 00:03:55: BR0:1 CHAP: Using default password from Di0 > 00:03:55: BR0:1 CHAP: O RESPONSE id 41 len 33 from "test-2001" > 00:03:55: BR0:1 CHAP: I SUCCESS id 41 len 4 > 00:03:55: BR0:1 PPP: Phase is UP > 00:03:55: BR0:1 IPCP: O CONFREQ [Not negotiated] id 16 len 10 > 00:03:55: BR0:1 IPCP:Address 10.20.30.2 (0x03060A141E02) > 00:03:55: BR0:1 CDPCP: O CONFREQ [Closed] id 16 len 4 > 00:03:55: BR0:1 CDPCP: I CONFREQ .[REQsent] id 16 len 4 > 00:03:55: BR0:1 CDPCP: O CONFACK [REQsent] id 16 len 4 > 00:03:55: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down > 00:03:55: %DIALER-6-UNBIND: Interface BRI0:1 unbound from profile Dialer0 > 00:03:55: BR0:1 IPCP: State is Closed > 00:03:55: BR0:1 CDPCP: State is Closed > 00:03:55: BR0:1 PPP: Phase is TERMINATING > 00:03:55: BR0:1 LCP: State is Closed > 00:03:55: BR0:1 PPP: Phase is DOWN > > and hear is from the 3660 > > Mar 9 14:05:06: Se2/0:1 CHAP: O CHALLENGE id 15 len 30 from "jal-3660" > Mar 9 14:05:06: Se2/0:1 CHAP: I RESPONSE id 15 len 36 from "test-sap2001" > Mar 9 14:05:06: Se2/0:1 PPP: Sent CHAP LOGIN Request to AAA > Mar 9 14:05:06: Se2/0:1 PPP: Received LOGIN Response from AAA = PASS > Mar 9 14:05:06: %DIALER-6-BIND: Interface Se2/0:1 bound to profile Di23 > Mar 9 14:05:06: Se2/0:1 PPP: Treating connection as a callin > Mar 9 14:05:06: Se2/0:1 PPP: Authorization NOT required > Mar 9 14:05:06: Se2/0:1 CHAP: O CHALLENGE id 16 len 36 from "test-sap2001 > Mar 9 14:05:06: Se2/0:1 CHAP: I RESPONSE id 16 len 29 from "test1" > Mar 9 14:05:06: Se2/0:1 PPP: Sent CHAP LOGIN Request to AAA > Mar 9 14:05:06: Se2/0:1 PPP: Received LOGIN Response from AAA = FAIL > Mar 9 14:05:06: Se2/0:1 CHAP: O FAILURE id 16 len 26 msg is "Authentication > Mar 9 14:05:06: %ISDN-6-CONNECT: Interface Serial2/0:1 is now connected to 5 > Mar 9 14:05:06: %LINK-3-UPDOWN: Interface Serial2/0:1, changed state to down > Mar 9 14:05:06: %DIALER-6-UNBIND: Interface Se2/0:1 unbound from profile Di2 > Mar 9 14:05:07: %LINK-3-UPDOWN: Interface Serial2/0:1, changed state to up > Mar 9 14:05:07: Se2/0:1 PPP: Treating connection as a callin > Mar 9 14:05:07: Se2/0:1 PPP: Authorization NOT required > Mar 9 14:05:07: Se2/0:1 CHAP: O CHALLENGE id 17 len 30 from "jal-3660" > Mar 9 14:05:07: Se2/0:1 CHAP: I RESPONSE id 17 len 36 from "test-sap2001" > Mar 9 14:05:07: Se2/0:1 PPP: Sent CHAP LOGIN Request to AAA > Mar 9 14:05:07: Se2/0:1 PPP: Received LOGIN Response from AAA = PASS > Mar 9 14:05:07: %DIALER-6-BIND: Interface Se2/0:1 bound to profile Di23 > Mar 9 14:05:07: Se2/0:1 PPP: Treating connection as a callin > Mar 9 14:05:07: Se2/0:1 PPP: Authorization NOT required > Mar 9 14:05:07: Se2/0:1 CHAP: O CHALLENGE id 18 len 36 from "test-sap2001 > Mar 9 14:05:07: Se2/0:1 CHAP: I RESPONSE id 18 len 29 from "test1" > Mar 9 14:05:07: Se2/0:1 PPP: Sent CHAP LOGIN Request to AAA > Mar 9 14:05:07: Se2/0:1 PPP: Received LOGIN Response from AAA = FAIL > Mar 9 14:05:07: Se2/0:1 CHAP: O FAILURE id 18 len 26 msg is "Authentication > Mar 9 14:05:07: %ISDN-6-CONNECT: Interface Serial2/0:1 is now connected to 5 > Mar 9 14:05:07: %LINK-3-UPDOWN: Interface Serial2/0:1, changed state to down > Mar 9 14:05:07: %DIALER-6-UNBIND: Interface Se2/0:1 unbound from profile Di2 > > > any
Re: chap authentication LONG !!! [7:54234]
It´s my understanging that when I use ppp authentication chap callin i dont have to have the username on my router, as if I was calling into an ISP then the ISP´s route would have to have a username on my router, and I dont think that is the that is used. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54241&t=54234 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: chap authentication LONG !!! [7:54234]
looks quite similiar to a recent thread. username jal-3660 password blahblahblah remember CHAP is a two wat authentication. Dave "Arni V. Skarphedinsson" wrote: > > Well I have some more chap authentication issues, and if someone can give me > any pointers that would be great, > > I have two routers > a 1003 who is calling an 3660 over ISDN > > this is the debug from the 100300:03:54: %LINK-3-UPDOWN: Interface BRI0:1, > changed state to up > 00:03:55: %DIALER-6-BIND: Interface BRI0:1 bound to profile Dialer0 > 00:03:55: BR0:1 PPP: Treating connection as a callout > 00:03:55: BR0:1 PPP: Phase is ESTABLISHING, Active Open > 00:03:55: BR0:1 LCP: O CONFREQ [Closed] id 16 len 10 > 00:03:55: BR0:1 LCP:MagicNumber 0x6073F820 (0x05066073F820) > 00:03:55: BR0:1 LCP: I CONFREQ [REQsent] id 25 len 15 > 00:03:55: BR0:1 LCP:AuthProto CHAP (0x0305C22305) > 00:03:55: BR0:1 LCP:MagicNumbe.r 0x2F591151 (0x05062F591151) > 00:03:55: BR0:1 LCP: O CONFACK [REQsent] id 25 len 15 > 00:03:55: BR0:1 LCP:AuthProto CHAP (0x0305C22305) > 00:03:55: BR0:1 LCP:MagicNumber 0x2F591151 (0x05062F591151) > 00:03:55: BR0:1 LCP: I CONFACK [ACKsent] id 16 len 10 > 00:03:55: BR0:1 LCP:MagicNumber 0x6073F820 (0x05066073F820) > 00:03:55: BR0:1 LCP: State is Open > 00:03:55: BR0:1 PPP: Phase is AUTHENTICATING, by the peer > 00:03:55: BR0:1 CHAP: I CHALLENGE id 41 len 30 from "jal-3660" > 00:03:55: BR0:1 CHAP: Using hostname test-2001 from interface Di0 > 00:03:55: BR0:1 CHAP: Username jal-3660 not found > 00:03:55: BR0:1 CHAP: Using default password from Di0 > 00:03:55: BR0:1 CHAP: O RESPONSE id 41 len 33 from "test-2001" > 00:03:55: BR0:1 CHAP: I SUCCESS id 41 len 4 > 00:03:55: BR0:1 PPP: Phase is UP > 00:03:55: BR0:1 IPCP: O CONFREQ [Not negotiated] id 16 len 10 > 00:03:55: BR0:1 IPCP:Address 10.20.30.2 (0x03060A141E02) > 00:03:55: BR0:1 CDPCP: O CONFREQ [Closed] id 16 len 4 > 00:03:55: BR0:1 CDPCP: I CONFREQ .[REQsent] id 16 len 4 > 00:03:55: BR0:1 CDPCP: O CONFACK [REQsent] id 16 len 4 > 00:03:55: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down > 00:03:55: %DIALER-6-UNBIND: Interface BRI0:1 unbound from profile Dialer0 > 00:03:55: BR0:1 IPCP: State is Closed > 00:03:55: BR0:1 CDPCP: State is Closed > 00:03:55: BR0:1 PPP: Phase is TERMINATING > 00:03:55: BR0:1 LCP: State is Closed > 00:03:55: BR0:1 PPP: Phase is DOWN > > and hear is from the 3660 > > Mar 9 14:05:06: Se2/0:1 CHAP: O CHALLENGE id 15 len 30 from "jal-3660" > Mar 9 14:05:06: Se2/0:1 CHAP: I RESPONSE id 15 len 36 from "test-sap2001" > Mar 9 14:05:06: Se2/0:1 PPP: Sent CHAP LOGIN Request to AAA > Mar 9 14:05:06: Se2/0:1 PPP: Received LOGIN Response from AAA = PASS > Mar 9 14:05:06: %DIALER-6-BIND: Interface Se2/0:1 bound to profile Di23 > Mar 9 14:05:06: Se2/0:1 PPP: Treating connection as a callin > Mar 9 14:05:06: Se2/0:1 PPP: Authorization NOT required > Mar 9 14:05:06: Se2/0:1 CHAP: O CHALLENGE id 16 len 36 from "test-sap2001 > Mar 9 14:05:06: Se2/0:1 CHAP: I RESPONSE id 16 len 29 from "test1" > Mar 9 14:05:06: Se2/0:1 PPP: Sent CHAP LOGIN Request to AAA > Mar 9 14:05:06: Se2/0:1 PPP: Received LOGIN Response from AAA = FAIL > Mar 9 14:05:06: Se2/0:1 CHAP: O FAILURE id 16 len 26 msg is "Authentication > Mar 9 14:05:06: %ISDN-6-CONNECT: Interface Serial2/0:1 is now connected to 5 > Mar 9 14:05:06: %LINK-3-UPDOWN: Interface Serial2/0:1, changed state to down > Mar 9 14:05:06: %DIALER-6-UNBIND: Interface Se2/0:1 unbound from profile Di2 > Mar 9 14:05:07: %LINK-3-UPDOWN: Interface Serial2/0:1, changed state to up > Mar 9 14:05:07: Se2/0:1 PPP: Treating connection as a callin > Mar 9 14:05:07: Se2/0:1 PPP: Authorization NOT required > Mar 9 14:05:07: Se2/0:1 CHAP: O CHALLENGE id 17 len 30 from "jal-3660" > Mar 9 14:05:07: Se2/0:1 CHAP: I RESPONSE id 17 len 36 from "test-sap2001" > Mar 9 14:05:07: Se2/0:1 PPP: Sent CHAP LOGIN Request to AAA > Mar 9 14:05:07: Se2/0:1 PPP: Received LOGIN Response from AAA = PASS > Mar 9 14:05:07: %DIALER-6-BIND: Interface Se2/0:1 bound to profile Di23 > Mar 9 14:05:07: Se2/0:1 PPP: Treating connection as a callin > Mar 9 14:05:07: Se2/0:1 PPP: Authorization NOT required > Mar 9 14:05:07: Se2/0:1 CHAP: O CHALLENGE id 18 len 36 from "test-sap2001 > Mar 9 14:05:07: Se2/0:1 CHAP: I RESPONSE id 18 len 29 from "test1" > Mar 9 14:05:07: Se2/0:1 PPP: Sent CHAP LOGIN Request to AAA > Mar 9 14:05:07: Se2/0:1 PPP: Received LOGIN Response from AAA = FAIL > Mar 9 14:05:07: Se2/0:1 CHAP: O FAILURE id 18 len 26 msg is "Authentication > Mar 9 14:05:07: %ISDN-6-CONNECT: Interface Serial2/0:1 is now connected to 5 > Mar 9 14:05:07: %LINK-3-UPDOWN: Interface Serial2/0:1, changed state to down > Mar 9 14:05:07: %DIALER-6-UNBIND: Interface Se2/0:1 unbound from profile Di2 > > any pointers would be great, beacuse I have no idea of what to try next. -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 "You don't make the poor richer by making the rich poorer." --Winston Churchill Message Post
