Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CHAP passwords

Hi Experts,

I need a clarification on a fundamental concept of CHAP used in PPP links.

I am aware how CHAP works. It uses MD5 one way HASH Algorithm and inputs passwords as a element in the HASH. Thus passwords are not sent in clear text as PAP.

That means we are forced to use the same password in both the peer routers. For example,

R1

username R2 password sairam

R2

username R1 password sairam

Is it possible to use different passwords in both the routers as we do for PAP SENT-USERNAME command

Thanks in advance

sairam

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: CHAP passwords

I think that Sairam has asked about a mutual authentication of two PPP peers

If that's the case, then yes - password must be the same. I was thinking along the lines of one side authenticating the other (client - server design).

__

Edison.

6 REPLIES
Hall of Fame Super Bronze

Re: CHAP passwords

Is it possible to use different passwords in both the routers as we do for PAP SENT-USERNAME command

Yes, you can use the command

ppp chap password

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_p2.html#wp1032912

and an account must be created on the router acting as the authentication server with such password.

HTH,

__

Edison.

Re: CHAP passwords

Sairam,

ppp authentication chap is the command for the server. It challenges the client to authenticate.

As per your question, the password has to be the same on server and client.

Router1 Server:

username Router2 password mojo

int s0/1/0

ppp authentication chap

######

Router2 Client:

int s0/1/0

ppp chap password mojo

ppp chap hostname Router2

HTH,

Toshi

New Member

Re: CHAP passwords

Hi Edison & Toshi,

Thanks for your input.

As Toshi mentioned, I too learned that the password should be same. I even tried the commands refered in the command reference guide link provided by edison.

If I give different password in "ppp chap password" command, Protocol is not coming up

Its my thought. Please correct if i understood in other way

sairam

Hall of Fame Super Bronze

Re: CHAP passwords

Sairam,

Here are the results from my lab:

R2 will challenge CHAP authentication to R1

R2#sh run | i username

username R1 password 0 sairam1

R2#sh run | se interface Serial0/0

interface Serial0/0

ip address 192.168.1.2 255.255.255.0

encapsulation ppp

shutdown

serial restart-delay 0

ppp authentication chap

R1#sh run | i username

username Router2 password 0 sairam

R1#sh run | se interface Serial0/0

interface Serial0/0

ip address 192.168.1.1 255.255.255.0

encapsulation ppp

serial restart-delay 0

I deliberate changed the local account username on R1 so I can use a different password. If I leave the username as R2, R1 will use the password matching the authenticating server hostname - that's the caveat here.

I will now apply the ppp chap password command on R1.

R1(config)#int s0/0

R1(config-if)#ppp chap password sairam1

and 'no shut' the interface on R2;

R2(config-if)#no shut

R2(config-if)#

*Mar 1 00:28:05.891: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up

*Mar 1 00:28:05.895: Se0/0 PPP: Using default call direction

*Mar 1 00:28:05.895: Se0/0 PPP: Treating connection as a dedicated line

*Mar 1 00:28:05.895: Se0/0 PPP: Session handle[B50000B7] Session id[191]

*Mar 1 00:28:05.899: Se0/0 PPP: Authorization required

*Mar 1 00:28:05.991: Se0/0 CHAP: O CHALLENGE id 185 len 23 from "R2"

*Mar 1 00:28:06.115: Se0/0 CHAP: I RESPONSE id 185 len 23 from "R1"

*Mar 1 00:28:06.119: Se0/0 PPP: Sent CHAP LOGIN Request

*Mar 1 00:28:06.123: Se0/0 PPP: Received LOGIN Response PASS

*Mar 1 00:28:06.127: Se0/0 PPP: Sent LCP AUTHOR Request

*Mar 1 00:28:06.131: Se0/0 PPP: Sent IPCP AUTHOR Request

*Mar 1 00:28:06.135: Se0/0 LCP: Received AAA AUTHOR Response PASS

*Mar 1 00:28:06.139: Se0/0 IPCP: Received AAA AUTHOR Response PASS

*Mar 1 00:28:06.139: Se0/0 CHAP: O SUCCESS id 185 len 4

*Mar 1 00:28:06.143: Se0/0 PPP: Sent CDPCP AUTHOR Request

*Mar 1 00:28:06.151: Se0/0 CDPCP: Received AAA AUTHOR Response PASS

*Mar 1 00:28:06.199: Se0/0 PPP: Sent IPCP AUTHOR Request

As you see, the passwords are different and the link is up.

HTH,

__

Edison.

Cisco Employee

Re: CHAP passwords

Hello Edison,

I am not sure but I think that Sairam has asked about a mutual authentication of two PPP peers - whether it is possible for each peer to authenticate to the other peer with a different password.

If that is the case then I believe that it is not possible. I see two major reasons for that. First, the password in CHAP is used to generate a MD5 hash of a challenge and therefore must be known on both peers, as both of them must be able to compute the identical results. Second, the password to use with a peer is either determined by the command "ppp chap password" on an interface (it will be used for any CHAP authentication, incoming or outgoing, on that interface), or by looking it up in the user database according to the peer's name. Both these ways are static in the sense that they associate a particular password with a particular peer (or all peers on an interface) and for both incoming and outgoing authentication. Because of that, you cannot have two distinct passwords between two PPP peers and have them successfully authenticate against each other.

Best regards,

Peter

Hall of Fame Super Bronze

Re: CHAP passwords

I think that Sairam has asked about a mutual authentication of two PPP peers

If that's the case, then yes - password must be the same. I was thinking along the lines of one side authenticating the other (client - server design).

__

Edison.

303
Views
13
Helpful
6
Replies
CreatePlease login to create content