Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CHAP may periodically verify the identity . How?

Let's say we have next lab: lab-a->int s0->dce/dte cable->int s1->lab-b. RIP is configured. lab-a and lab-b are cisco 2500 series routers.

lab-a configuration:

lab-a(config)#username lab-b passw onelink

lab-a(config)#int s0

lab-a(config-if)#ip address

lab-a(config-if)#clock rate 1000000

lab-a(config-if)#encap ppp

lab-a(config-if)#ppp auth chap

lab-b configuration:

lab-b(config)#username lab-a passw onelink

lab-b(config)#int s1

lab-b(config-if)#ip address

lab-b(config-if)#encap ppp

lab-b(config-if)#ppp auth chap

Now we can ping both ip addresses.

Then at lab-b we can do next:

lab-b(config)#no username lab-a passw onelink

lab-b(config)#username lab-x passw onelink

And now we still can ping both addresses. Why? We changed username. In compliance with rfc 1994 "...The Challenge-Handshake Authentication Protocol (CHAP) is used to periodically verify the identity of the peer using a 3-way handshake. This is done upon initial link establishment, and MAY be repeated anytime after the link has been established..."

What do I have to do in order this will work between lab-a and lab-b?

ping doesn't work if only I use command sequence like:

lab-b(config)#int s 1


lab-b(config-if)#no shutdown

One more question: why do we have to use command

Router(config)# username USERNAME password PASSWORD

in global configuration mode? What if we have chain of routers and want to implement ppp and chap? Logically this command is supposed to be used in interface configuration mode Router(config-if)#. How does router distinguish this pairs (username and password) from its database for its different serial interfaces?


Re: CHAP may periodically verify the identity . How?

We do not support the periodic CHAP authentication; the authentication is only done each time the link comes up and negotiates PPP. As you saw, when you shut/no shut the interface, then we negotiated PPP again and the authentication failed due to the username not existing.

As for Q2, the global username makes the most sense since a user may dial into different sync (ISDN) or async interfaces, which would be set up into a rotary group. It should not matter what interface the call comes in on, and if it does matter (say you don't want async users coming in via sync calls) then this control is best handled by an external AAA server. It could be argued that an interface username would be useful, but again any control beyond the basic is best handled via an external server.

New Member

Re: CHAP may periodically verify the identity . How?

Thank You, Mark for all your explanations.

It's very pleasant that CCIE answers my questions.

Thank you again.