Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Why Does <tt>debug ppp auth chap callin</tt> Want a RemoteID in an Incoming Challenge?

<p>I am trying to set up a one-way authentication in which the host that the<br>

Cisco AS5300 Universal Access Server calls verifies the identity of the<br>

AS5300. However, the AS5300 does not check the host.<br>


When I use the command debug ppp auth chap callin, the debug log entries say:</p>


<pre>PPP: Treating connection as a callout </pre>

<pre>PPP: Phase is ESTABLISHING, Active Open</pre>

<pre>PPP: No remote authentication for call-out . . . </pre>

<pre>PPP: Phase is AUTHENTICATING, by the peer CHAP: I CHALLENGE id 1 len 21 CHAP:<br> No name received from peer CHAP: Unable to authenticate for peer</pre>

<pre>PPP: Phase is TERMINATING </pre>


<p>Why does it care that there is no name? I tried another test with a router

that submitted<br>

a name and it says there is no matching username. Why is it comparing the name?



Re: Why Does <tt>debug ppp auth chap callin</tt> Want a RemoteID

First, you should have a look at:


The Challenge Handshake Authentication Protocol (CHAP) challenge MUST have

a name in it such as one or more of the octets representing the identification

of the system transmitting the packet.

The AS5300 uses this name to respond to the CHAP challenge; if using

local authentication, it uses the username command that corresponds to the name

in the CHAP challenge. If it uses authentication, authorization, and accounting (AAA),

it will send this name to the AAA server.

It does not mean that security is becoming relaxed just because the AS5300 is the

only one being authenticated; there is still a need for mutual identification.

CreatePlease login to create content