Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
292
Views
5
Helpful
2
Replies

CHAP may periodically verify the identity . How?

victormedua
Level 1
Level 1

‎10-28-2002 09:09 PM - edited ‎03-02-2019 02:26 AM

Let's say we have next lab: lab-a->int s0->dce/dte cable->int s1->lab-b. RIP is configured. lab-a and lab-b are cisco 2500 series routers.

lab-a configuration:

lab-a(config)#username lab-b passw onelink

lab-a(config)#int s0

lab-a(config-if)#ip address 201.100.11.1 255.255.255.0

lab-a(config-if)#clock rate 1000000

lab-a(config-if)#encap ppp

lab-a(config-if)#ppp auth chap

lab-b configuration:

lab-b(config)#username lab-a passw onelink

lab-b(config)#int s1

lab-b(config-if)#ip address 201.100.11.2 255.255.255.0

lab-b(config-if)#encap ppp

lab-b(config-if)#ppp auth chap

Now we can ping both ip addresses.

Then at lab-b we can do next:

lab-b(config)#no username lab-a passw onelink

lab-b(config)#username lab-x passw onelink

And now we still can ping both addresses. Why? We changed username. In compliance with rfc 1994 "...The Challenge-Handshake Authentication Protocol (CHAP) is used to periodically verify the identity of the peer using a 3-way handshake. This is done upon initial link establishment, and MAY be repeated anytime after the link has been established..."

What do I have to do in order this will work between lab-a and lab-b?

ping doesn't work if only I use command sequence like:

lab-b(config)#int s 1

lab-b(config-if)#shutdown

lab-b(config-if)#no shutdown

One more question: why do we have to use command

Router(config)# username USERNAME password PASSWORD

in global configuration mode? What if we have chain of routers and want to implement ppp and chap? Logically this command is supposed to be used in interface configuration mode Router(config-if)#. How does router distinguish this pairs (username and password) from its database for its different serial interfaces?

Labels:
0 Helpful
2 Replies 2

mljohnson
Level 4
Level 4

‎10-29-2002 08:22 AM

We do not support the periodic CHAP authentication; the authentication is only done each time the link comes up and negotiates PPP. As you saw, when you shut/no shut the interface, then we negotiated PPP again and the authentication failed due to the username not existing.

As for Q2, the global username makes the most sense since a user may dial into different sync (ISDN) or async interfaces, which would be set up into a rotary group. It should not matter what interface the call comes in on, and if it does matter (say you don't want async users coming in via sync calls) then this control is best handled by an external AAA server. It could be argued that an interface username would be useful, but again any control beyond the basic is best handled via an external server.

victormedua
Level 1
Level 1
In response to mljohnson

‎10-29-2002 10:57 AM

Thank You, Mark for all your explanations.

It's very pleasant that CCIE answers my questions.

Thank you again.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents