Great Peter, I will schedule some downtime and give that a try.

thanks,

David.

Thanks for your help.  Using the debugs I was able to establish that the authenticator (ie. the ISP's router) sent a PPP CONFREQ asking my peer to use PAP authentication.  I was able to add the following to my int dial:

   ppp authentication pap callin

   ppp pap sent-username foo password foo

Happily, even though I couldn't use the "ppp pap sent-username" to specify a null or empty username or password, the remote authenticator was happy with "foo", and gave me an IP address!

David

Thanks for posting that you have solved the issue and what the solution was. This is very interesting and helpful. And it is especially gratifying that you solved your own problem.

+5 to you for this good information.

HTH

Rick

Hi David,

Very good thinking!

One issue, though: you do not need the ppp authentication pap callin command. That may, under circumstances, require that the IAX (or the ISP) authenticates to you, i.e. a completely opposite direction of authentication. That would undoubtedly fail, as the ISPs usually do not authenticate themselves to their customers.

If possible, please remove the ppp authentication pap callin command from your configuration - contrary to the popular belief, it is not used to authenticate via PAP to the other side but rather to request that the remote side authenticates to us using PAP.

You may be interested in reading this discussion as well:

https://supportforums.cisco.com/message/3424916#3424916

Best regards,

Peter

Hi David, Peter,

This thread is interesting to me and wanted to add my 2 cents. Please correct me if I am wrong.

Peter mentioned "callin" option in ppp authentication pap callin command,this is interesting to me.

It is correct that client does not need ppp authentication pap callin but if you setup for some reason other ppp connections or you have some security concerns you are using it.

In PPP we have unidirectional and bi-directional authentication. The "callin" keyword is added just because you want to make undirectional authentication and actually says you are calling. If it is not added the caller will require request for authentication (AUTH-REQ) from the other side. Of course if ISP or the other router is trying to call you then your router will require authentication this is the default behavior because it says require AUTH-REQ when you treat the connection as callin not when you call out.

Regards,

Alex

Hello Alex,

Thank you very much for joining the discussion!

The "callin" keyword is added just because you want to make undirectional authentication and actually says you are calling.

I believe this is not entirely correct.

The precise effect of the callin keyword is to make the ppp authentication pap/chap command apply only if the remote side initiates the PPP connection to  us and not if we initiate the PPP connection to the other side. It is  thus concerned with the "direction" of the PPP session - whether it is  an incoming, callin connection, or an outgoing, callout connection. In  essence, the callin (or its complementary keyword callout)  make the authentication conditional - to take place only if the call is  initiated in a particular direction. They do not change the direction  of the authentication itself, however - they only change when and if the  authentication will take place. The direction of the authentication  itself will still be the same - the remote per will have to prove its identity to us.

Obviously, on dialed interfaces like analog modems or  ISDN BRI, a router could both make a call (callout) or accept a call  (callin). With fixed serial lines and PPP-over-whatever, the concept of  callout or callin is much more blurred, and here, a so-called "default  PPP direction" is used. On fixed serial interfaces, the PPP direction is  considered as "dedicated" without any notion of a particular direction,  and the callin/callout keywords have no effect: the  remote side will always have to authenticate to us - obviously failing  the authentication if the remote side is not prepared for that.

For PPPoE in particular, the default PPP direction is callout. Hence, on these interfaces, specifying the callin keyword means that the entire ppp authentication pap callin command will be inactive, as the connection is by default treated as callout.

It can be argued that using the callin keyword may add to the security of the device, as it will require  authentication from the remote party if it "somehow" manages to call in.  However, at the same time, because we are not using ordinary dial  technologies anymore, the concept of dialling in/dialling out is very  vague, as I explained earlier, and actually may lead to complications  when establishing the PPP session. Therefore, my recommendation here is  to avoid using this kind of command (ppp authentication pap callin) on interfaces that actually do not need to authenticate the other party - or be aware of all these issues.

The  most important thing that I am fighting, however, is the idea that  "this command allows us to prove our identity to the other party using  PAP", or in other words, "in order to prove our identity to the remote  party using PAP, we have to configure this command". That idea seems to  be widely spread - and totally incorrect. We cannot impose our preferred  authentication method on the other party when authenticating ourselves  to the remote side - we can only agree or disagree to authenticate to  the remote party using a particular protocol.

Best regards,

Peter

Hello Peter,

You have said what I mean but more precisely and detailed. Nice explanation, thank you.

You are right the ppp authentication command does not affect the ability to authenticate your router to the remote side, again I agree with you.

Best regards,

Alex

hi peter,

i second the motion. after that very interesting discussion of the 'callin' keyword. you broke the myth of our PPP setup thanks to you sir! i was able to verify it using one of our site (hoping not to fail, else i need to go onsite) that very weekend.

837#sh run int d0

Building configuration...

Current configuration : 208 bytes

!

interface Dialer0

ip address negotiated

encapsulation ppp

dialer pool 1

ppp authentication pap callin

ppp pap sent-username password

end

837#reload in 10

Reload scheduled for 00:32:40 SGT Sun Aug 28 2011 (in 10 minutes) by john on vty0 (203.x.x.x)

Proceed with reload? [confirm]

837#

***

*** --- SHUTDOWN in 0:10:00 ---

***

837#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

837(config)#int d0

837(config-if)#no ppp authentication pap callin

837(config-if)#do sh run int d0

Building configuration...

Current configuration : 177 bytes

!

interface Dialer0

ip address negotiated

encapsulation ppp

dialer pool 1

ppp pap sent-username password

end

837(config-if)#end

837#reload cancel

837#

***

*** --- SHUTDOWN ABORTED ---

***

837#reload

Proceed with reload? [confirm]

Connection to 202.x.x.x closed by foreign host.

>telnet 202.x.x.x

Trying 202.x.x.x...

Connected to 202.x.x.x.

Escape character is '^]'.

837>ena

Password:

837#sh run int d0

Building configuration...

Current configuration : 177 bytes

!

interface Dialer0

ip address negotiated

encapsulation ppp

dialer pool 1

ppp pap sent-username password

end

Resources I referred to included:

• Troubleshooting PPP (CHAP or PAP) authentication
• Understanding debug ppp negotiation Output
• the Configuring Unidirectional CHAP section of PPP Authentication Using the ppp chap hostname and ppp authentication chap callin Commands