10-28-2002 09:09 PM - edited 03-02-2019 02:26 AM
Let's say we have next lab: lab-a->int s0->dce/dte cable->int s1->lab-b. RIP is configured. lab-a and lab-b are cisco 2500 series routers.
lab-a configuration:
lab-a(config)#username lab-b passw onelink
lab-a(config)#int s0
lab-a(config-if)#ip address 201.100.11.1 255.255.255.0
lab-a(config-if)#clock rate 1000000
lab-a(config-if)#encap ppp
lab-a(config-if)#ppp auth chap
lab-b configuration:
lab-b(config)#username lab-a passw onelink
lab-b(config)#int s1
lab-b(config-if)#ip address 201.100.11.2 255.255.255.0
lab-b(config-if)#encap ppp
lab-b(config-if)#ppp auth chap
Now we can ping both ip addresses.
Then at lab-b we can do next:
lab-b(config)#no username lab-a passw onelink
lab-b(config)#username lab-x passw onelink
And now we still can ping both addresses. Why? We changed username. In compliance with rfc 1994 "...The Challenge-Handshake Authentication Protocol (CHAP) is used to periodically verify the identity of the peer using a 3-way handshake. This is done upon initial link establishment, and MAY be repeated anytime after the link has been established..."
What do I have to do in order this will work between lab-a and lab-b?
ping doesn't work if only I use command sequence like:
lab-b(config)#int s 1
lab-b(config-if)#shutdown
lab-b(config-if)#no shutdown
One more question: why do we have to use command
Router(config)# username USERNAME password PASSWORD
in global configuration mode? What if we have chain of routers and want to implement ppp and chap? Logically this command is supposed to be used in interface configuration mode Router(config-if)#. How does router distinguish this pairs (username and password) from its database for its different serial interfaces?
10-29-2002 08:22 AM
We do not support the periodic CHAP authentication; the authentication is only done each time the link comes up and negotiates PPP. As you saw, when you shut/no shut the interface, then we negotiated PPP again and the authentication failed due to the username not existing.
As for Q2, the global username makes the most sense since a user may dial into different sync (ISDN) or async interfaces, which would be set up into a rotary group. It should not matter what interface the call comes in on, and if it does matter (say you don't want async users coming in via sync calls) then this control is best handled by an external AAA server. It could be argued that an interface username would be useful, but again any control beyond the basic is best handled via an external server.
10-29-2002 10:57 AM
Thank You, Mark for all your explanations.
It's very pleasant that CCIE answers my questions.
Thank you again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: