Skip navigation
Cisco Learning Home > Certifications > Routing & Switching (CCNA) > Discussions

_Communities

6182 Views 19 Replies Latest reply: May 14, 2012 6:00 AM by El Tigre RSS 1 2 Previous Next

Currently Being Moderated

PAP or CHAP

Jul 13, 2010 1:15 AM

Vadood 41 posts since
Jan 11, 2010

Hi,

 

 

There is a established ppp serial link between to routers. running-config say the authentication is CHAP PAP. How can i figure out which of these protocols is currently in use?

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    1. Jul 13, 2010 3:23 AM (in response to Vadood)
    Re: PAP or CHAP

    If the link is up, and already authenticated, and all the configuration was present for CHAP on both sides, it would have used CHAP.  I am not aware of a way to determine what they actually used to authenticate, unless you had a log running, and the debug on, which could show what had happened.

     

    If debugs were turned on, and you did a shut, no shut on the link (which would disrupt service for a time), that would be another way of checking.

     

    Best wishes,

     

    Keith

  • Conwyn 7,907 posts since
    Sep 10, 2008
    Currently Being Moderated
    Re: PAP or CHAP

    Hi Keith

     

    R2#show run int s1/0
    Building configuration...

    Current configuration : 136 bytes
    !
    interface Serial1/0
    ip address 10.0.0.2 255.255.255.252
    encapsulation ppp
    serial restart-delay 0
    ppp authentication pap chap
    end

     

     

    R2#ping 10.0.0.1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 56/80/112 ms
    R2#show  caller user R1

      User: R1, line Se1/0, service PPP
            Connected for 00:00:28, Idle for 00:00:07
      Timeouts:    Limit     Remaining Timer Type
                   -         -         -        
      PPP: LCP Open, CHAP (<-->), IPCP, CDPCP                                <=========
      IP: Local 10.0.0.2/30, remote 10.0.0.1
      Counts: 3752 packets input, 64330 bytes, 0 no buffer
              0 input errors, 0 CRC, 0 frame, 0 overrun
              3754 packets output, 64498 bytes, 0 underruns
              0 output errors, 0 collisions, 185 interface res

     

     

    Regards Conwyn

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    3. Jul 13, 2010 4:15 AM (in response to Conwyn)
    Re: PAP or CHAP

    R2#show  caller user R1

     

    I learned something new today.

     

    Conwyn - you rock.   Thanks!

     

    Keith

  • Conwyn 7,907 posts since
    Sep 10, 2008
    Currently Being Moderated
    Re: PAP or CHAP

    Hi Keith

     

    and PAP

     

    R2#show caller
                                                               Active      Idle
      Line           User               Service       Time         Time
      con 0          -                     TTY           00:42:27  00:00:00 
      Se1/0          R1                 PPP           00:02:20  00:00:04               <========

     

     

    R2#show caller user R1

      User: R1, line Se1/0, service PPP
            Connected for 00:00:19, Idle for 00:00:00
      Timeouts:    Limit     Remaining Timer Type
                   -         -         -        
      PPP: LCP Open, PAP (<-->), IPCP, CDPCP                                    <==========
      IP: Local 10.0.0.2/30, remote 10.0.0.1
      Counts: 5294 packets input, 92680 bytes, 0 no buffer
              0 input errors, 0 CRC, 0 frame, 0 overrun
              5303 packets output, 92671 bytes, 0 underruns
              0 output errors, 0 collisions, 224 interface resets

     

    Regards Conwyn

  • Brandon Carroll - CCIE (Security) 231 posts since
    Jun 26, 2008
    Currently Being Moderated
    5. Jul 13, 2010 9:06 AM (in response to Vadood)
    Re: PAP or CHAP

    Debug ppp authentication should show you the negotiation if you bounce the link.  If this is production then you probably dont want to do that.

     

     

    BC

  • Conwyn 7,907 posts since
    Sep 10, 2008
    Currently Being Moderated
    Re: PAP or CHAP

    Hi Brandon

     

    You may have missed my posts. Please see below

     

    Regards Conwyn

     

    R2#show caller
                                                               Active      Idle
      Line           User               Service       Time         Time
      con 0          -                     TTY           00:42:27  00:00:00 
      Se1/0          R1                 PPP           00:02:20  00:00:04               <========

     

     

    R2#show caller user R1

      User: R1, line Se1/0, service PPP
            Connected for 00:00:19, Idle for 00:00:00
      Timeouts:    Limit     Remaining Timer Type
                   -         -         -        
      PPP: LCP Open, PAP (<-->), IPCP, CDPCP                                    <==========
      IP: Local 10.0.0.2/30, remote 10.0.0.1
      Counts: 5294 packets input, 92680 bytes, 0 no buffer
              0 input errors, 0 CRC, 0 frame, 0 overrun
              5303 packets output, 92671 bytes, 0 underruns
              0 output errors, 0 collisions, 224 interface resets

     

    Regards Conwyn

  • Brandon Carroll - CCIE (Security) 231 posts since
    Jun 26, 2008
    Currently Being Moderated
    7. Jul 13, 2010 10:29 AM (in response to Conwyn)
    Re: PAP or CHAP

    no, I saw it.  I was just saying- to see it negotiate live you could use the debug but in production I recommend against it.

     

    Regards,

    Brandon

  • Scott Morris - CCDE/4xCCIE/2xJNCIE 8,396 posts since
    Oct 7, 2008
    Currently Being Moderated
    Re: PAP or CHAP

    Resetting live links to run a debug isn't always the best idea! 

     

    The nice part about "show caller" is that you get the results seen even after the process takes place.

     

    If there are problems though, I'd definitely agree that the debug is the best way to see what IS (or is not) happening.

     

    Scott

  • zahid3963 4 posts since
    May 19, 2009
    Currently Being Moderated
    10. Jul 15, 2010 1:02 AM (in response to Vadood)
    Re: PAP or CHAP

    Usually it is shown when the serial interface is configured as "ppp authentication CHAP PAP" .And also if both are configured on both side routers then CHAP is preffered to authenticate.If u want only one then configure the interface as "ppp authentication PAP" or CHAP which one u want.But then u have to configure the same on the other end of the router as well. 

  • Conwyn 7,907 posts since
    Sep 10, 2008
    Currently Being Moderated
    11. Jul 15, 2010 1:16 AM (in response to zahid3963)
    Re: PAP or CHAP

    Hi Zahid

     

    The question was:-

     

    How can i figure out which of these protocols is currently in use?

     

    Regards Conwyn

  • Isaac 114 posts since
    Dec 20, 2010
    Currently Being Moderated
    12. May 6, 2012 2:29 PM (in response to Conwyn)
    Re: PAP or CHAP

    Hello to u all

     

    I am sorry to reply to such an old thread but I am still not being able to see the results of this command:

     

    If you have configured "ppp authentication pap chap" would pap be the authentication used first and if it fails would chap be the authentication to use afterwards?

     

    What is the main purpise of using both kinds of auth in the same interface?

     

    Hope you have to secs to answer this

     

    Best

     

    Isaac

  • Isaac 114 posts since
    Dec 20, 2010
    Currently Being Moderated
    13. May 13, 2012 8:15 AM (in response to Isaac)
    Re: PAP or CHAP

    Any inputs on this one ?

     

    What does the command ppp auth chap pap exactly does?

     

    (Will be more then  happy for just on link to cisco.com )

  • Paul Stewart  -  CCIE Security, CCSI 6,972 posts since
    Jul 18, 2008
    Currently Being Moderated
    14. May 13, 2012 8:41 AM (in response to Isaac)
    Re: PAP or CHAP

    If you control both ends, you wouldn't normally do this. If you wanted either method to work, you could do this. In the unique case that both ends are configured this way, I think pap is used because it is listed first. If you had one end set to "pap chap" and the other end set to "chap pap", I think it would depend on which end initiates that phase of the connection. Now bear in mind, I haven't specifically labbed that up to confirm my suspicions, but I think that is how it is *supposed* to work.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)