Device Authentication and PPP Auth
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2004 10:30 AM - edited 03-10-2019 07:53 AM
We recently enabled AAA on all our routers for device authenticationa dn authorization. When we did this it broke our async dial back up on some of our routers. Basically as soon as you enable aaa new-model, the behavior of PPP Authentication changes. Below is the configuration, What I want to do is to have AAA enabled on the router for telnet and console, but have the PPP dialup connection continue to use the configured username and password.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa authorization config-commands
interface Async2
no ip address
encapsulation ppp
dialer in-band
dialer pool-member 2
dialer-group 2
async default routing
async mode interactive
ppp authentication chap callin
!
interface Dialer2
ip unnumbered Loopback0
encapsulation ppp
dialer pool 2
dialer redial interval 30 attempts 5 re-enable 300
dialer string xxxxx
dialer-group 2
no cdp enable
ppp authentication chap callin
ppp chap hostname WESLEYTESTING-REMOTEATM
ppp chap password passhere
Any help is appreciated....
- Labels:
-
AAA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2004 05:04 PM
Try adding the following:
aaa authentication ppp default local
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2004 08:52 AM
I have tried this... It still doesn't see to use the following commands:
ppp chap hostname WESLEYTESTING-REMOTEATM
ppp chap password passhere
It will only use the hostname of the router??? Any Ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2004 09:58 AM
Another development... I didn't realize this before but when I do debug PPP negotiation, it appears it is using PAP authentication instead of chap. So I put in a PAP username and password and then it worked??? So really my problem is that once I enable aaa new-model, the router now ignores the ppp authentication chap command ???
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2004 12:29 AM
Hi there,
if that's the case, u may want to try the following: enable both CHAP and PAP
ppp authentication chap pap.
It's just a wild guess.
Marc
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2004 06:44 AM
Even though CHAP is more secure than PAP, it causes problems when you are authenticating on a tacacs server. The essential problem is that CHAP does not send the password, it sends an authentication block which is generated from the password. If you are authenticating on the router, then the router can do the same calculation and compare results to see if the correct password is used. But when the router needs to send the password that was entered to the tacacs server for authentication, there is a serious problem because the router does not have the password which was entered.
The solution is to use PAP because PAP does transmit the password which was originally entered and thus the router can send the password to the tacacs server for authentication.
HTH
Rick
Rick
