Re: PPP chap authentication with same password confusion

zillah2004 · ‎10-12-2005

Cisco says in ‘Second-Year Companion Guide’ Edition 2 page 339 :

((To configure PPP authentication, do the following:

Step1

On each router, define the username and password to expect from the remote router:

Router (config)# username name password secret

The arguments are described as follows:

name—This is the hostname of the remote router. Note that it is case sensitive.

secret—On Cisco routers, the secret password must be the same for both routers.)). I said this is the end of the step 1 from the above Cisco book.

Another book 'Semester 6 Remote Access Book' Cisco says :

((If you want the router to use a different username and password, you have the option of specifying a different combination with the following commands:

Router (config-if)#ppp chap hostname name.

Router (config-if)#ppp chap password passwd. ))

I feel there is conflict between second year book and semester 6 book !!! Any clarification about that (password)

spremkumar · ‎10-13-2005

Hi

AFAIK both the statements are correct in their way but the way in which they are used or the real requirement needs may differ from case to case.

i would suggest to look onto the functional sample config scenarios and also the link which can help u out...

!

hostname router1

!

username router2 password cisco

!

interface BRI0

no ip address

no ip mroute-cache

encapsulation ppp

dialer-group 1

isdn switch-type basic-net3

ppp authentication chap

---------------------------------------------------------------

!

hostname router2

!

username router1 password cisco

!

interface BRI0

no ip address

no ip mroute-cache

encapsulation ppp

dialer-group 1

isdn switch-type basic-net3

ppp authentication chap

--------------------------------------------------------------

hostname router1

!

username router2 password 0 cisco

!

interface BRI0/0

ip address x.x.x.x y.y.y.y

no ip directed-broadcast

encapsulation ppp

dialer-group 1

isdn switch-type basic-net3

ppp authentication chap callin

ppp chap hostname cisco

ppp chap password cisco

!

--------------------------------------------------------

hostname router2

!

username cisco password 0 cisco

!

interface BRI0/0

ip address z.z.z.z y.y.y.y

no ip directed-broadcast

encapsulation ppp

dialer-group 1

isdn switch-type basic-net3

ppp authentication chap

-----------------------------------------------------------------

http://cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a00800b4131.shtml

http://cisco.com/en/US/tech/tk713/tk507/technologies_configuration_example09186a0080094333.shtml

regds

zillah2004 · ‎10-13-2005

hostname router1

!

username router2 password 0 cisco

!

interface BRI0/0

ip address x.x.x.x y.y.y.y

no ip directed-broadcast

encapsulation ppp

dialer-group 1

isdn switch-type basic-net3

ppp authentication chap callin

ppp chap hostname sydney

ppp chap password letmein

!

--------------------------------------------------------

hostname router2

!

username sydney password 0 letmein

!

interface BRI0/0

ip address z.z.z.z y.y.y.y

no ip directed-broadcast

encapsulation ppp

dialer-group 1

isdn switch-type basic-net3

ppp authentication chap

1- What I did I modified the username and password.

2- My understanding to what the link said,,,If I want to use a default(router'name as hostname and same password for both routers) authentication, I do not need to use these two commands on both routers (router1 and router2):

ppp chap hostname sydney

ppp chap password letmein

but the password should be same on both routers.

3- If I want to use different hostname and password on router1 for authentication, I have to enter these two commands on a router1 only (not router2):

ppp chap hostname sydney

ppp chap password letmein

corret me if I am wrong please?

spremkumar · ‎10-13-2005

hi

yes thats also one of the advantage by providing different username and password rather than giving the client hostname and password.

Usually in SP network we do have some kinda identification purpose which we do using the username given to the client for either their backup connectivity or primary connectivity.

regds

zillah2004 · ‎10-13-2005

Is the username case sensitive in regard to the PPP authentication ?

Because i had read an article in internetwork expert lab that the username is not case semsitive !!!

Thanks

Richard Burts · ‎10-13-2005

I believe that you need to look carefully at the context of the discussion about whether the username is case sensitive or not. For lots of usage (like for local authentication) I believe that the user name is not case sensitive. My experience is that for PPP authentication the user name is case sensitive.

So was the article in internetwork expert lab talking specifically about configuring for PPP authenticatin or was it talking generally about configuring username in the config of a lab router?

HTH

Rick

HTH

Rick

zillah2004 · ‎10-13-2005

This is the part of pitfall:

"By default the username is not case sensitive in regards to the PPP authentication process, but the username is case sensitive in relation to PPP callback. If R5 sends ‘router5’ during the CHAP authentication process, the dialer map on R4 will need to have the name option configured as ‘router5’. Always have the name option of the dialer map and the dialer remote-name for Dialer Profiles match the exact username----------"

mehrdad · ‎10-14-2005

hostname router1

!

username router2 password 0 cisco

!

interface BRI0/0

ip address x.x.x.x y.y.y.y

no ip directed-broadcast

encapsulation ppp

dialer-group 1

isdn switch-type basic-net3

ppp authentication chap callin

ppp chap hostname sydney

ppp chap password letmein

!

--------------------------------------------------------

hostname router2

!

username sydney password 0 letmein

!

interface BRI0/0

ip address z.z.z.z y.y.y.y

no ip directed-broadcast

encapsulation ppp

dialer-group 1

isdn switch-type basic-net3

ppp authentication chap

If the above configuration is correct then what about the following command :

username router2 password 0 cisco

that means if i change 'cisco' password to another,does it work?!

zillah2004 · ‎10-14-2005

My understanding is that

router1 will use these to authenticate router2

1- username: router2

2- password: cisco

router2 by default should have used these to authenticate router1

1- username: router1

2- password: cisco---with default configuration password should be same on both routers

But because we have used these two commands:

ppp chap hostname sydney

ppp chap password letmein

Now router2 will not use default configuration for authentication, it will use this

1- username: sydney

2- password: letmein

sunilthyagarajan · ‎11-21-2010

Hi,

Did anyone try using 'secret' instead of 'password' keyword?

I mean,

username Router1 secret xxxxxx

Evenafter giving the same secret in both the routers, it didnot work. It only worked when I changed it back to 'password'.

Any idea?

Richard Burts · ‎11-21-2010

In PPP CHAP authentication the originating router creates some challenge data. The other router uses its password to create a response by hashing the challenge data. The original router uses its password to recreate the hash. If the hashes match then the same password was used on both sides and authentication is successful (without ever sending the password over the connection). If the hashes do not match then the same password is not used on both sides and authentication fails.

The important thing here is that both routers must know the password. If you configure the user with "secret" rather than "password" then the router does not know what the password is, the router only knows a hash value created by the secret password. The router can authenticate whether someone entered the correct password or not by taking the entered password and hashing it to see if it matches. But the router does not know what the real value of the secret password is and therefore can not use it in CHAP authentication.

HTH

Rick

HTH

Rick