Sairam,

ppp authentication chap is the command for the server. It challenges the client to authenticate.

As per your question, the password has to be the same on server and client.

Router1 Server:

username Router2 password mojo

int s0/1/0

ppp authentication chap

######

Router2 Client:

int s0/1/0

ppp chap password mojo

ppp chap hostname Router2

HTH,

Toshi

Hi Edison & Toshi,

Thanks for your input.

As Toshi mentioned, I too learned that the password should be same. I even tried the commands refered in the command reference guide link provided by edison.

If I give different password in "ppp chap password" command, Protocol is not coming up

Its my thought. Please correct if i understood in other way

sairam

Sairam,

Here are the results from my lab:

R2 will challenge CHAP authentication to R1

R2#sh run | i username

username R1 password 0 sairam1

R2#sh run | se interface Serial0/0

interface Serial0/0

ip address 192.168.1.2 255.255.255.0

encapsulation ppp

shutdown

serial restart-delay 0

ppp authentication chap

R1#sh run | i username

username Router2 password 0 sairam

R1#sh run | se interface Serial0/0

interface Serial0/0

ip address 192.168.1.1 255.255.255.0

encapsulation ppp

serial restart-delay 0

I deliberate changed the local account username on R1 so I can use a different password. If I leave the username as R2, R1 will use the password matching the authenticating server hostname - that's the caveat here.

I will now apply the ppp chap password command on R1.

R1(config)#int s0/0

R1(config-if)#ppp chap password sairam1

and 'no shut' the interface on R2;

R2(config-if)#no shut

R2(config-if)#

*Mar 1 00:28:05.891: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up

*Mar 1 00:28:05.895: Se0/0 PPP: Using default call direction

*Mar 1 00:28:05.895: Se0/0 PPP: Treating connection as a dedicated line

*Mar 1 00:28:05.895: Se0/0 PPP: Session handle[B50000B7] Session id[191]

*Mar 1 00:28:05.899: Se0/0 PPP: Authorization required

*Mar 1 00:28:05.991: Se0/0 CHAP: O CHALLENGE id 185 len 23 from "R2"

*Mar 1 00:28:06.115: Se0/0 CHAP: I RESPONSE id 185 len 23 from "R1"

*Mar 1 00:28:06.119: Se0/0 PPP: Sent CHAP LOGIN Request

*Mar 1 00:28:06.123: Se0/0 PPP: Received LOGIN Response PASS

*Mar 1 00:28:06.127: Se0/0 PPP: Sent LCP AUTHOR Request

*Mar 1 00:28:06.131: Se0/0 PPP: Sent IPCP AUTHOR Request

*Mar 1 00:28:06.135: Se0/0 LCP: Received AAA AUTHOR Response PASS

*Mar 1 00:28:06.139: Se0/0 IPCP: Received AAA AUTHOR Response PASS

*Mar 1 00:28:06.139: Se0/0 CHAP: O SUCCESS id 185 len 4

*Mar 1 00:28:06.143: Se0/0 PPP: Sent CDPCP AUTHOR Request

*Mar 1 00:28:06.151: Se0/0 CDPCP: Received AAA AUTHOR Response PASS

*Mar 1 00:28:06.199: Se0/0 PPP: Sent IPCP AUTHOR Request

As you see, the passwords are different and the link is up.

HTH,

__

Edison.

Hello Edison,

I am not sure but I think that Sairam has asked about a mutual authentication of two PPP peers - whether it is possible for each peer to authenticate to the other peer with a different password.

If that is the case then I believe that it is not possible. I see two major reasons for that. First, the password in CHAP is used to generate a MD5 hash of a challenge and therefore must be known on both peers, as both of them must be able to compute the identical results. Second, the password to use with a peer is either determined by the command "ppp chap password" on an interface (it will be used for any CHAP authentication, incoming or outgoing, on that interface), or by looking it up in the user database according to the peer's name. Both these ways are static in the sense that they associate a particular password with a particular peer (or all peers on an interface) and for both incoming and outgoing authentication. Because of that, you cannot have two distinct passwords between two PPP peers and have them successfully authenticate against each other.

Best regards,

Peter