This lab demonstrates the mechanisms of unidirectional (one-way) PPP CHAP authentication. Below describes the situation of the initial lab setup:
i) Both routers have no username and PPP authentication configurations.
ii) Both routers can ping each other.
iii) Both routers have enabled PPP authentication debugging with debug ppp authentication.
The username - password statement is required on both devices for both unidirectional and bidirectional CHAP authentication. In unidirectional CHAP authentication (a local device authenticating a remote device), it is first used by the remote device (RT1) to response to the challenge generated by the local device (RT2), and then used by the local device (RT2) to verify the response from the remote device (RT1).
Below enable PPP CHAP authentication on RT2. The debugging messages show RT2 challenges RT1 but RT1 is unable to response to RT2’s challenge.
RT2(config)#int s0/0 RT2(config-if)#ppp authentication chap RT2(config-if)# 00:15:52: Se0/0 CHAP: O CHALLENGE id 1 len 24 from "RT2" 00:15:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down 00:15:54: Se0/0 CHAP: O CHALLENGE id 2 len 24 from "RT2" 00:15:56: Se0/0 CHAP: O CHALLENGE id 3 len 24 from "RT2" ---------------------------------------------------------------------- RT1# 00:15:52: Se0/0 CHAP: I CHALLENGE id 1 len 24 from "RT2" 00:15:52: Se0/0 CHAP: Username RT2 not found 00:15:52: Se0/0 CHAP: Unable to authenticate for peer 00:15:52: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down 00:15:54: Se0/0 PPP: Using default call direction 00:15:54: Se0/0 PPP: Treating connection as a dedicated line 00:15:54: Se0/0 CHAP: I CHALLENGE id 2 len 24 from "RT2" 00:15:54: Se0/0 CHAP: Username RT1 not found 00:15:54: Se0/0 CHAP: Unable to authenticate for peer 00:15:56: Se0/0 CHAP: I CHALLENGE id 3 len 24 from "RT2" 00:15:56: Se0/0 CHAP: Username RT1 not found 00:15:56: Se0/0 CHAP: Unable to authenticate for peer
Below configure the username and password on RT1. The debugging message show RT1 is able to response to RT2’s challenge but RT2 is unable to validate RT1’s response.
RT1(config)#username RT2 password cisco123 RT1(config)# 00:18:24: Se0/0 CHAP: I CHALLENGE id 67 len 24 from "RT2" 00:18:24: Se0/0 CHAP: O RESPONSE id 67 len 24 from "RT1" 00:18:24: Se0/0 CHAP: I FAILURE id 67 len 26 msg is "Authentication failure" 00:18:26: Se0/0 CHAP: I CHALLENGE id 68 len 24 from "RT2" 00:18:26: Se0/0 CHAP: O RESPONSE id 68 len 24 from "RT1" 00:18:26: Se0/0 CHAP: I FAILURE id 68 len 26 msg is "Authentication failure” ---------------------------------------------------------------------- RT2# 00:18:24: Se0/0 CHAP: O CHALLENGE id 67 len 24 from "RT2" 00:18:24: Se0/0 CHAP: I RESPONSE id 67 len 24 from "RT1" 00:18:24: Se0/0 CHAP: Unable to validate Response. Username RT1 not found 00:18:24: Se0/0 CHAP: O FAILURE id 67 len 26 msg is "Authentication failure" 00:18:26: Se0/0 CHAP: O CHALLENGE id 68 len 24 from "RT2" 00:18:26: Se0/0 CHAP: I RESPONSE id 68 len 24 from "RT1" 00:18:26: Se0/0 CHAP: Unable to validate Response. Username RT1 not found 00:18:26: Se0/0 CHAP: O FAILURE id 68 len 26 msg is "Authentication failure"Note: The alternative configuration on RT1 is the ppp chap hostname RT1 and ppp chap password cisco123 interface subcommands.
Below configure the username and password on RT2 for RT2 to validate RT1’s response.
Finally the unidirectional (one-way) PPP CHAP authentication is successful.
RT2(config)#username RT1 password cisco123 RT2(config)# 00:20:54: Se0/0 CHAP: O CHALLENGE id 127 len 24 from "RT2" 00:20:54: Se0/0 CHAP: I RESPONSE id 127 len 24 from "RT1" 00:20:54: Se0/0 CHAP: O SUCCESS id 127 len 4 00:20:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up ---------------------------------------------------------------------- RT1# 00:20:48: Se0/0 CHAP: I CHALLENGE id 127 len 24 from "RT2" 00:20:48: Se0/0 CHAP: O RESPONSE id 127 len 24 from "RT1" 00:20:48: Se0/0 CHAP: I SUCCESS id 127 len 4 00:20:49: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up 00:20:50: Se0/0 PPP: Using default call direction 00:20:50: Se0/0 PPP: Treating connection as a dedicated line
LCP packets are sent during the PPP link establishment phase. These packets contain several Configuration Option fields that allow PPP devices to negotiate how they want the link to be established – the maximum datagram size the link can carry, authentication, quality monitoring, and compression. If no Configuration Option field is present, the default configurations are used.
No comments:
Post a Comment