05-01-2005 01:50 AM - edited 03-02-2019 10:38 PM
I have got this scenario, I have got two routers 2600, Rcentral, and Rremote.
I connected these router by serial cable,.
I am looking to use ppp authentication chap.
First Case
If I want only Rremote to be authenticated by Rcentral (i.e Rcentralauthenticates Rremote and not vice versa)
Part of the configuration is:
Rcentral (config-if)#ppp authntication
Rcentral (config-if)#ppp authentication chap
Rcentral (config-if)# username Rremote password catcat
Am I right ?
Second Case
If I am looking both of them (Rcentral, Rremote) authenticate each other then I have to use these configurations:
Rcentral (config-if)#ppp authntication
Rcentral (config-if)#ppp authentication chap
Rcentral (config-if)# username Rremote password catcat
Rremote (config-if)#ppp authntication
Rremote (config-if)#ppp authentication chap
Rremote (config-if)# username Rcentral password catcat
Am I right?
2- Does be the same case for ppp pap ?
3- Why should the password (enable , secrete) should be same on both router ?
05-01-2005 10:57 AM
As far as I know, you cant have only one side authenticate. Both have to be participating in it.
Your config on the "second case" is correct. So you are good there.
2) It would be the same for PAP, but remember, PAP sends the password info in plain text and CHAP dosnt not send the password info at all. It uses a hash algarithm (sp?)
And if you where to do PAP and are using IOS version 11.1 or later you need to add the following statment under interface-config mode.
Router(config-if)#ppp pap sent-username "remote router hostname" password "password"
*enter the correct info for the items in parenthesis.
3) The routers have to have the same passwords in there authentication statements b/c that is how they verify the info. PAP just checks to see if the password is the same. CHAP puts the password into an algarithm and if the result is the same as the other password then it will authenticate. If the passwords where different the hash result would not match.
Please rate if this helps :)
Scott
05-02-2005 01:28 AM
The reason that I have asked this, because cisco book says:
"CHAP is used to periodically verify the identity of the remote node, using three-way hanshaking"
My confusion was: why only verify remote node? that means we have node for verifing and another node to be verified (remote node),,,,,correct me if my understanding is wrong,,,,,
05-02-2005 07:20 AM
From my understanding they both do it.
One will verify the other remote site and vise versa.
HTH
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide