Solved: I need help with pap authentication

Marcos.Zimmermann · ‎11-27-2005

Hi,

I'am trying to connect 2 Routers back to back via the AUX Port and a nullmodem cable. I get a connection without ppp-authentication. But when I enable pap or chap it seems that the password and usernames are not send. I verified this with debug ppp authentication and ppp negotiation.

Here is my config:

------------------

hostname router-2501

aaa new-model

aaa authentication login default local-case

aaa authentication ppp default local

aaa authorization exec default local

enable secret 5 <removed>

username admin privilege 14 password 7 <removed>

username guest nopassword

username router-2503 password 7 <removed>

username home password 7 <removed>

interface Async1

bandwidth 38

ip address 172.16.1.2 255.255.255.0

encapsulation ppp

async mode dedicated

ppp authentication pap

line aux 0

modem InOut

transport input all

stopbits 1

speed 38400

flowcontrol hardware

###########################################################

hostname router-2503

aaa new-model

aaa authentication login default local-case

aaa authentication ppp default local

aaa authorization exec default local

enable secret 5 <removed>

username admin privilege 14 password 7 <removed>

username router-2501 password 7 <removed>

username home password 7 <removed>

interface Async1

bandwidth 38

ip address 172.16.1.1 255.255.255.0

encapsulation ppp

async mode dedicated

ppp authentication pap

line aux 0

modem InOut

transport input all

stopbits 1

speed 38400

flowcontrol hardware

Here is the debug from pap:

00:11:18: %LINK-3-UPDOWN: Interface Async1, changed state to up

00:11:18: As1 PPP: Using modem call direction

00:11:18: As1 PPP: Treating connection as a callin

00:11:18: As1 PPP: Phase is ESTABLISHING, Passive Open [0 sess, 0 load]

00:11:18: As1 LCP: State is Listen

router-2501#

00:11:20: As1 LCP: TIMEout: State Listen

00:11:20: As1 LCP: O CONFREQ [Listen] id 12 len 24

00:11:20: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)

00:11:20: As1 LCP: AuthProto PAP (0x0304C023)

00:11:20: As1 LCP: MagicNumber 0x00169FE3 (0x050600169FE3)

00:11:20: As1 LCP: PFC (0x0702)

00:11:20: As1 LCP: ACFC (0x0802)

00:11:20: As1 LCP: I CONFREQ [REQsent] id 19 len 24

00:11:20: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)

00:11:20: As1 LCP: AuthProto PAP (0x0304C023)

00:11:20: As1 LCP: MagicNumber 0x00175D48 (0x050600175D48)

00:11:20: As1 LCP: PFC (0x0702)

00:11:20: As1 LCP: ACFC (0x0802)

00:11:20: As1 LCP: O CONFACK [REQsent] id 19 len 24

00:11:20: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)

00:11:20: As1 LCP: AuthProto PAP (0x0304C023)

00:11:20: As1 LCP: MagicNumber 0x00175D48 (0x050600175D48)

00:11:20: As1 LCP: PFC (0x0702)

00:11:20: As1 LCP: ACFC (0x0802)

00:11:20: As1 LCP: I CONFACK [ACKsent] id 12 len 24

00:11:20: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)

00:11:20: As1 LCP: AuthProto PAP (0x0304C023)

00:11:20: As1 LCP: MagicNumber 0x00169FE3 (0x050600169FE3)

00:11:20: As1 LCP: PFC (0x0702)

00:11:20: As1 LCP: ACFC (0x0802)

00:11:20: As1 LCP: State is Open

00:11:20: As1 PPP: Phase is AUTHENTICATING, by both [0 sess, 0 load]

router-2501#

I remains in this for a few minutes and then it tries to reconnect again. Can anyone help?

Best Regards

Marcos

Georg Pauwen · ‎11-28-2005

Hello,

there is a hidden command that you could use:

ppp direction callout (on the local router)

ppp direction callin (on the remote router)

Aparently, in a back-to-back scenario like yours, the routers do not know exactly who called who...

HTH,

GP

View solution in original post

spremkumar · ‎11-28-2005

Hi

The config which you have posted makes both the routers to recieve the calls and recieve the authentication credintials using PAP.

i would suggest to key in ppp authentication pap callin and ppp pap sent-username router-2501 password xxxxx on the 2501 router.

if u need more info do go thru this lik ..

http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a0080093c6f.shtml

regds

Georg Pauwen · ‎11-28-2005

Hello Marcos,

try the following:

On your router-2501:

interface Async1

bandwidth 38

ip address 172.16.1.2 255.255.255.0

encapsulation ppp

async mode dedicated

ppp authentication pap

-->ppp pap sent-username router-2501 password XXXX

And on your router-2503:

interface Async1

bandwidth 38

ip address 172.16.1.1 255.255.255.0

encapsulation ppp

async mode dedicated

ppp authentication pap

--> ppp pap sent-username router-2503 password XXXX

HTH,

GP

Marcos.Zimmermann · ‎11-28-2005

Hi,

I tried the ppp pap sent-username router... and got the same result.

I also tried to use chap and got the following result:

00:14:49: %LINK-3-UPDOWN: Interface Async1, changed state to up

router-2503#

00:14:49: As1 PPP: Using modem call direction

00:14:49: As1 PPP: Treating connection as a callin

00:14:49: As1 PPP: Phase is ESTABLISHING, Passive Open [0 sess, 0 load]

00:14:49: As1 LCP: State is Listen

router-2503#

00:14:51: As1 LCP: I CONFREQ [Listen] id 10 len 25

00:14:51: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)

00:14:51: As1 LCP: AuthProto CHAP (0x0305C22305)

00:14:51: As1 LCP: MagicNumber 0x00194ED5 (0x050600194ED5)

00:14:51: As1 LCP: PFC (0x0702)

00:14:51: As1 LCP: ACFC (0x0802)

00:14:51: As1 LCP: O CONFREQ [Listen] id 23 len 25

00:14:51: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)

00:14:51: As1 LCP: AuthProto CHAP (0x0305C22305)

00:14:51: As1 LCP: MagicNumber 0x001A2BCB (0x0506001A2BCB)

00:14:51: As1 LCP: PFC (0x0702)

00:14:51: As1 LCP: ACFC (0x0802)

00:14:51: As1 LCP: O CONFACK [Listen] id 10 len 25

00:14:51: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)

00:14:51: As1 LCP: AuthProto CHAP (0x0305C22305)

00:14:51: As1 LCP: MagicNumber 0x00194ED5 (0x050600194ED5)

00:14:51: As1 LCP: PFC (0x0702)

00:14:51: As1 LCP: ACFC (0x0802)

00:14:51: As1 LCP: I CONFACK [ACKsent] id 23 len 25

00:14:51: As1 LCP: ACCM 0x000A0000 (0x0206000A0000)

00:14:51: As1 LCP: AuthProto CHAP (0x0305C22305)

00:14:51: As1 LCP: MagicNumber 0x001A2BCB (0x0506001A2BCB)

00:14:51: As1 LCP: PFC (0x0702)

00:14:51: As1 LCP: ACFC (0x0802)

00:14:51: As1 LCP: State is Open

00:14:51: As1 PPP: Phase is AUTHENTICATING, by both [0 sess, 0 load]

router-2503#

00:14:51: As1 CHAP: O CHALLENGE id 1 len 32 from "router-2503"

00:14:51: As1 CHAP: I CHALLENGE id 1 len 32 from "router-2501"

00:14:51: As1 CHAP: Waiting for peer to authenticate first

router-2503#

00:15:01: As1 CHAP: O CHALLENGE id 2 len 32 from "router-2503"

00:15:01: As1 CHAP: I CHALLENGE id 2 len 32 from "router-2501"

00:15:01: As1 CHAP: Waiting for peer to authenticate first

router-2503#no debug all

00:15:11: As1 CHAP: O CHALLENGE id 3 len 32 from "router-2503"

00:15:11: As1 CHAP: I CHALLENGE id 3 len 32 from "router-2501"

00:15:11: As1 CHAP: Waiting for peer to authenticate first

router-2503#no debug all

All possible debugging has been turned off

router-2503#

I can see the "As1 CHAP: Waiting for peer to authenticate first" message on both routers...

It seems that both sides treat the back-to-back connection as call in and waiting for the other side to authenticate. It is shown in the debug output:

00:14:49: As1 PPP: Using modem call direction

00:14:49: As1 PPP: Treating connection as a callin

I can see this debug messages on both routers, there looking identical. So my question is, can I force one router to handle the connection as dial out ?

Georg Pauwen · ‎11-28-2005

Hello,

there is a hidden command that you could use:

ppp direction callout (on the local router)

ppp direction callin (on the remote router)

Aparently, in a back-to-back scenario like yours, the routers do not know exactly who called who...

HTH,

GP

Marcos.Zimmermann · ‎11-28-2005

Hi GP,

thank you, now it works ;-)

I can use chap as authentication and pap. But when I want to use pap, I must use the ppp pap sent-username ... command. Do you have any idea why pap dosent works with the local account database?

When I use chap, it works.

Regards

Marcos

Georg Pauwen · ‎11-29-2005

Hello Marcos,

there is a slight difference in the way CHAP and PAP operate: unlike CHAP, PAP does not automatically send the router´s hostname for authentication. The username and password value must be manually configured with the ´ppp pap sent-username´ command under the interface.

HTH,

GP