Solved: PPP authentication question

Colin Higgins · ‎12-21-2010

I have a bunch of routers configured for MPLS: they all talk to each other through an AT&T cloud

PPP authentication with chap is enabled, and the routers have usernames and passwords, such as

username router1 password 7 071C20481A5

We are using BGP and connecting to AT&T's AS (backbone), and I noticed that the interafaces facing that network have a ppp chap hostname configured that is an ip address (probably one of AT&Ts). It looks something like this (not real addresses)

interface Multilink1
ip address 62.100.71.2 255.255.255.252
no keepalive
no cdp enable
ppp chap hostname 66.191.17.1
ppp multilink
ppp multilink fragment disable

ppp multilink group 1
service-policy output wanqos

how is this working exactly, I am a little confused about who is authenticating what

letsgomets · ‎12-21-2010

Hope this is helpful

When a remote Cisco router connects to either a Cisco or a non-Cisco central router of a different administrative control, an Internet Service Provider (ISP), or a rotary of central routers, it is necessary to configure an authentication username that is different from the hostname. In this situation, the hostname of the router is not provided or is different at different times (rotary). Also, the username and password that is allocated by the ISP may not be the remote router's hostname. In such a situation, the ppp chap hostname command is used to specify an alternate username that will be used for authentication.

For example, consider a situation where multiple remote devices are dialing into a central site. Using normal CHAP authentication, the username (which would be the hostname) of each remote device and a shared secret must be configured on the central router. In this scenario, the configuration of the central router can get lengthy and cumbersome to manage; however, if the remote devices use a username that is different from their hostname this can be avoided. The central site can be configured with a single username and shared secret that can be used to authenticate multiple dialin clients.

View solution in original post

letsgomets · ‎12-21-2010

Hope this is helpful

When a remote Cisco router connects to either a Cisco or a non-Cisco central router of a different administrative control, an Internet Service Provider (ISP), or a rotary of central routers, it is necessary to configure an authentication username that is different from the hostname. In this situation, the hostname of the router is not provided or is different at different times (rotary). Also, the username and password that is allocated by the ISP may not be the remote router's hostname. In such a situation, the ppp chap hostname command is used to specify an alternate username that will be used for authentication.

For example, consider a situation where multiple remote devices are dialing into a central site. Using normal CHAP authentication, the username (which would be the hostname) of each remote device and a shared secret must be configured on the central router. In this scenario, the configuration of the central router can get lengthy and cumbersome to manage; however, if the remote devices use a username that is different from their hostname this can be avoided. The central site can be configured with a single username and shared secret that can be used to authenticate multiple dialin clients.

Colin Higgins · ‎12-21-2010

thanks for your help

so it looks like in this instance, the hostname on the interface has been given to us by AT&T

the username and password is used for authentication against our routers at the other end