CHAP passwords

Answered Question
Sep 6th, 2009

Hi Experts,

I need a clarification on a fundamental concept of CHAP used in PPP links.

I am aware how CHAP works. It uses MD5 one way HASH Algorithm and inputs passwords as a element in the HASH. Thus passwords are not sent in clear text as PAP.

That means we are forced to use the same password in both the peer routers. For example,

R1

username R2 password sairam

R2

username R1 password sairam

Is it possible to use different passwords in both the routers as we do for PAP SENT-USERNAME command

Thanks in advance

sairam

I have this problem too.
0 votes
Correct Answer by Edison Ortiz about 7 years 3 months ago

I think that Sairam has asked about a mutual authentication of two PPP peers

If that's the case, then yes - password must be the same. I was thinking along the lines of one side authenticating the other (client - server design).

__

Edison.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Loading.
thotsaphon Sun, 09/06/2009 - 09:44

Sairam,

ppp authentication chap is the command for the server. It challenges the client to authenticate.

As per your question, the password has to be the same on server and client.

Router1 Server:

username Router2 password mojo

int s0/1/0

ppp authentication chap

######

Router2 Client:

int s0/1/0

ppp chap password mojo

ppp chap hostname Router2

HTH,

Toshi

snarayanaraju Sun, 09/06/2009 - 11:15

Hi Edison & Toshi,

Thanks for your input.

As Toshi mentioned, I too learned that the password should be same. I even tried the commands refered in the command reference guide link provided by edison.

If I give different password in "ppp chap password" command, Protocol is not coming up

Its my thought. Please correct if i understood in other way

sairam

Edison Ortiz Sun, 09/06/2009 - 20:29

Sairam,

Here are the results from my lab:

R2 will challenge CHAP authentication to R1

R2#sh run | i username

username R1 password 0 sairam1

R2#sh run | se interface Serial0/0

interface Serial0/0

ip address 192.168.1.2 255.255.255.0

encapsulation ppp

shutdown

serial restart-delay 0

ppp authentication chap

R1#sh run | i username

username Router2 password 0 sairam

R1#sh run | se interface Serial0/0

interface Serial0/0

ip address 192.168.1.1 255.255.255.0

encapsulation ppp

serial restart-delay 0

I deliberate changed the local account username on R1 so I can use a different password. If I leave the username as R2, R1 will use the password matching the authenticating server hostname - that's the caveat here.

I will now apply the ppp chap password command on R1.

R1(config)#int s0/0

R1(config-if)#ppp chap password sairam1

and 'no shut' the interface on R2;

R2(config-if)#no shut

R2(config-if)#

*Mar 1 00:28:05.891: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up

*Mar 1 00:28:05.895: Se0/0 PPP: Using default call direction

*Mar 1 00:28:05.895: Se0/0 PPP: Treating connection as a dedicated line

*Mar 1 00:28:05.895: Se0/0 PPP: Session handle[B50000B7] Session id[191]

*Mar 1 00:28:05.899: Se0/0 PPP: Authorization required

*Mar 1 00:28:05.991: Se0/0 CHAP: O CHALLENGE id 185 len 23 from "R2"

*Mar 1 00:28:06.115: Se0/0 CHAP: I RESPONSE id 185 len 23 from "R1"

*Mar 1 00:28:06.119: Se0/0 PPP: Sent CHAP LOGIN Request

*Mar 1 00:28:06.123: Se0/0 PPP: Received LOGIN Response PASS

*Mar 1 00:28:06.127: Se0/0 PPP: Sent LCP AUTHOR Request

*Mar 1 00:28:06.131: Se0/0 PPP: Sent IPCP AUTHOR Request

*Mar 1 00:28:06.135: Se0/0 LCP: Received AAA AUTHOR Response PASS

*Mar 1 00:28:06.139: Se0/0 IPCP: Received AAA AUTHOR Response PASS

*Mar 1 00:28:06.139: Se0/0 CHAP: O SUCCESS id 185 len 4

*Mar 1 00:28:06.143: Se0/0 PPP: Sent CDPCP AUTHOR Request

*Mar 1 00:28:06.151: Se0/0 CDPCP: Received AAA AUTHOR Response PASS

*Mar 1 00:28:06.199: Se0/0 PPP: Sent IPCP AUTHOR Request

As you see, the passwords are different and the link is up.

HTH,

__

Edison.

Peter Paluch Sun, 09/06/2009 - 11:14

Hello Edison,

I am not sure but I think that Sairam has asked about a mutual authentication of two PPP peers - whether it is possible for each peer to authenticate to the other peer with a different password.

If that is the case then I believe that it is not possible. I see two major reasons for that. First, the password in CHAP is used to generate a MD5 hash of a challenge and therefore must be known on both peers, as both of them must be able to compute the identical results. Second, the password to use with a peer is either determined by the command "ppp chap password" on an interface (it will be used for any CHAP authentication, incoming or outgoing, on that interface), or by looking it up in the user database according to the peer's name. Both these ways are static in the sense that they associate a particular password with a particular peer (or all peers on an interface) and for both incoming and outgoing authentication. Because of that, you cannot have two distinct passwords between two PPP peers and have them successfully authenticate against each other.

Best regards,

Peter

Correct Answer
Edison Ortiz Sun, 09/06/2009 - 21:07

I think that Sairam has asked about a mutual authentication of two PPP peers

If that's the case, then yes - password must be the same. I was thinking along the lines of one side authenticating the other (client - server design).

__

Edison.

Actions

This Discussion