09-06-2009 08:11 AM - edited 03-04-2019 05:57 AM
Hi Experts,
I need a clarification on a fundamental concept of CHAP used in PPP links.
I am aware how CHAP works. It uses MD5 one way HASH Algorithm and inputs passwords as a element in the HASH. Thus passwords are not sent in clear text as PAP.
That means we are forced to use the same password in both the peer routers. For example,
R1
username R2 password sairam
R2
username R1 password sairam
Is it possible to use different passwords in both the routers as we do for PAP SENT-USERNAME command
Thanks in advance
sairam
Solved! Go to Solution.
09-06-2009 09:07 PM
I think that Sairam has asked about a mutual authentication of two PPP peers
If that's the case, then yes - password must be the same. I was thinking along the lines of one side authenticating the other (client - server design).
__
Edison.
09-06-2009 09:15 AM
Is it possible to use different passwords in both the routers as we do for PAP SENT-USERNAME command
Yes, you can use the command
ppp chap password
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_p2.html#wp1032912
and an account must be created on the router acting as the authentication server with such password.
HTH,
__
Edison.
09-06-2009 09:44 AM
Sairam,
ppp authentication chap is the command for the server. It challenges the client to authenticate.
As per your question, the password has to be the same on server and client.
Router1 Server:
username Router2 password mojo
int s0/1/0
ppp authentication chap
######
Router2 Client:
int s0/1/0
ppp chap password mojo
ppp chap hostname Router2
HTH,
Toshi
09-06-2009 11:15 AM
Hi Edison & Toshi,
Thanks for your input.
As Toshi mentioned, I too learned that the password should be same. I even tried the commands refered in the command reference guide link provided by edison.
If I give different password in "ppp chap password" command, Protocol is not coming up
Its my thought. Please correct if i understood in other way
sairam
09-06-2009 08:29 PM
Sairam,
Here are the results from my lab:
R2 will challenge CHAP authentication to R1
R2#sh run | i username
username R1 password 0 sairam1
R2#sh run | se interface Serial0/0
interface Serial0/0
ip address 192.168.1.2 255.255.255.0
encapsulation ppp
shutdown
serial restart-delay 0
ppp authentication chap
R1#sh run | i username
username Router2 password 0 sairam
R1#sh run | se interface Serial0/0
interface Serial0/0
ip address 192.168.1.1 255.255.255.0
encapsulation ppp
serial restart-delay 0
I deliberate changed the local account username on R1 so I can use a different password. If I leave the username as R2, R1 will use the password matching the authenticating server hostname - that's the caveat here.
I will now apply the ppp chap password command on R1.
R1(config)#int s0/0
R1(config-if)#ppp chap password sairam1
and 'no shut' the interface on R2;
R2(config-if)#no shut
R2(config-if)#
*Mar 1 00:28:05.891: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar 1 00:28:05.895: Se0/0 PPP: Using default call direction
*Mar 1 00:28:05.895: Se0/0 PPP: Treating connection as a dedicated line
*Mar 1 00:28:05.895: Se0/0 PPP: Session handle[B50000B7] Session id[191]
*Mar 1 00:28:05.899: Se0/0 PPP: Authorization required
*Mar 1 00:28:05.991: Se0/0 CHAP: O CHALLENGE id 185 len 23 from "R2"
*Mar 1 00:28:06.115: Se0/0 CHAP: I RESPONSE id 185 len 23 from "R1"
*Mar 1 00:28:06.119: Se0/0 PPP: Sent CHAP LOGIN Request
*Mar 1 00:28:06.123: Se0/0 PPP: Received LOGIN Response PASS
*Mar 1 00:28:06.127: Se0/0 PPP: Sent LCP AUTHOR Request
*Mar 1 00:28:06.131: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar 1 00:28:06.135: Se0/0 LCP: Received AAA AUTHOR Response PASS
*Mar 1 00:28:06.139: Se0/0 IPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:28:06.139: Se0/0 CHAP: O SUCCESS id 185 len 4
*Mar 1 00:28:06.143: Se0/0 PPP: Sent CDPCP AUTHOR Request
*Mar 1 00:28:06.151: Se0/0 CDPCP: Received AAA AUTHOR Response PASS
*Mar 1 00:28:06.199: Se0/0 PPP: Sent IPCP AUTHOR Request
As you see, the passwords are different and the link is up.
HTH,
__
Edison.
09-06-2009 11:14 AM
Hello Edison,
I am not sure but I think that Sairam has asked about a mutual authentication of two PPP peers - whether it is possible for each peer to authenticate to the other peer with a different password.
If that is the case then I believe that it is not possible. I see two major reasons for that. First, the password in CHAP is used to generate a MD5 hash of a challenge and therefore must be known on both peers, as both of them must be able to compute the identical results. Second, the password to use with a peer is either determined by the command "ppp chap password" on an interface (it will be used for any CHAP authentication, incoming or outgoing, on that interface), or by looking it up in the user database according to the peer's name. Both these ways are static in the sense that they associate a particular password with a particular peer (or all peers on an interface) and for both incoming and outgoing authentication. Because of that, you cannot have two distinct passwords between two PPP peers and have them successfully authenticate against each other.
Best regards,
Peter
09-06-2009 09:07 PM
I think that Sairam has asked about a mutual authentication of two PPP peers
If that's the case, then yes - password must be the same. I was thinking along the lines of one side authenticating the other (client - server design).
__
Edison.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide