1 2 Previous Next 19 Replies Latest reply: May 14, 2012 6:00 AM by Tigger RSS

    PAP or CHAP

    Vadood

      Hi,

       

       

      There is a established ppp serial link between to routers. running-config say the authentication is CHAP PAP. How can i figure out which of these protocols is currently in use?

        • 1. Re: PAP or CHAP
          Keith Barker - CCIE RS/Security, CISSP

          If the link is up, and already authenticated, and all the configuration was present for CHAP on both sides, it would have used CHAP.  I am not aware of a way to determine what they actually used to authenticate, unless you had a log running, and the debug on, which could show what had happened.

           

          If debugs were turned on, and you did a shut, no shut on the link (which would disrupt service for a time), that would be another way of checking.

           

          Best wishes,

           

          Keith

          • 2. Re: PAP or CHAP
            Conwyn

            Hi Keith

             

            R2#show run int s1/0
            Building configuration...

            Current configuration : 136 bytes
            !
            interface Serial1/0
            ip address 10.0.0.2 255.255.255.252
            encapsulation ppp
            serial restart-delay 0
            ppp authentication pap chap
            end

             

             

            R2#ping 10.0.0.1

            Type escape sequence to abort.
            Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
            !!!!!
            Success rate is 100 percent (5/5), round-trip min/avg/max = 56/80/112 ms
            R2#show  caller user R1

              User: R1, line Se1/0, service PPP
                    Connected for 00:00:28, Idle for 00:00:07
              Timeouts:    Limit     Remaining Timer Type
                           -         -         -        
              PPP: LCP Open, CHAP (<-->), IPCP, CDPCP                                <=========
              IP: Local 10.0.0.2/30, remote 10.0.0.1
              Counts: 3752 packets input, 64330 bytes, 0 no buffer
                      0 input errors, 0 CRC, 0 frame, 0 overrun
                      3754 packets output, 64498 bytes, 0 underruns
                      0 output errors, 0 collisions, 185 interface res

             

             

            Regards Conwyn

            • 3. Re: PAP or CHAP
              Keith Barker - CCIE RS/Security, CISSP

              R2#show  caller user R1

               

              I learned something new today.

               

              Conwyn - you rock.   Thanks!

               

              Keith

              • 4. Re: PAP or CHAP
                Conwyn

                Hi Keith

                 

                and PAP

                 

                R2#show caller
                                                                           Active      Idle
                  Line           User               Service       Time         Time
                  con 0          -                     TTY           00:42:27  00:00:00 
                  Se1/0          R1                 PPP           00:02:20  00:00:04               <========

                 

                 

                R2#show caller user R1

                  User: R1, line Se1/0, service PPP
                        Connected for 00:00:19, Idle for 00:00:00
                  Timeouts:    Limit     Remaining Timer Type
                               -         -         -        
                  PPP: LCP Open, PAP (<-->), IPCP, CDPCP                                    <==========
                  IP: Local 10.0.0.2/30, remote 10.0.0.1
                  Counts: 5294 packets input, 92680 bytes, 0 no buffer
                          0 input errors, 0 CRC, 0 frame, 0 overrun
                          5303 packets output, 92671 bytes, 0 underruns
                          0 output errors, 0 collisions, 224 interface resets

                 

                Regards Conwyn

                • 5. Re: PAP or CHAP
                  Brandon Carroll - CCIE (Security)

                  Debug ppp authentication should show you the negotiation if you bounce the link.  If this is production then you probably dont want to do that.

                   

                   

                  BC

                  • 6. Re: PAP or CHAP
                    Conwyn

                    Hi Brandon

                     

                    You may have missed my posts. Please see below

                     

                    Regards Conwyn

                     

                    R2#show caller
                                                                               Active      Idle
                      Line           User               Service       Time         Time
                      con 0          -                     TTY           00:42:27  00:00:00 
                      Se1/0          R1                 PPP           00:02:20  00:00:04               <========

                     

                     

                    R2#show caller user R1

                      User: R1, line Se1/0, service PPP
                            Connected for 00:00:19, Idle for 00:00:00
                      Timeouts:    Limit     Remaining Timer Type
                                   -         -         -        
                      PPP: LCP Open, PAP (<-->), IPCP, CDPCP                                    <==========
                      IP: Local 10.0.0.2/30, remote 10.0.0.1
                      Counts: 5294 packets input, 92680 bytes, 0 no buffer
                              0 input errors, 0 CRC, 0 frame, 0 overrun
                              5303 packets output, 92671 bytes, 0 underruns
                              0 output errors, 0 collisions, 224 interface resets

                     

                    Regards Conwyn

                    • 7. Re: PAP or CHAP
                      Brandon Carroll - CCIE (Security)

                      no, I saw it.  I was just saying- to see it negotiate live you could use the debug but in production I recommend against it.

                       

                      Regards,

                      Brandon

                      • 8. Re: PAP or CHAP
                        Vadood

                        Thank you for your response.

                         

                        Actually  I am using packet tracer to simulate the link and it seems that packet tracer does not support show caller command.

                         

                         

                        Burke#show caller
                                    ^
                        % Invalid input detected at '^' marker.
                           
                        Burke#

                         

                        or maybe I am making a mistake?

                        • 9. Re: PAP or CHAP
                          Scott Morris - CCDE/4xCCIE/2xJNCIE

                          Resetting live links to run a debug isn't always the best idea! 

                           

                          The nice part about "show caller" is that you get the results seen even after the process takes place.

                           

                          If there are problems though, I'd definitely agree that the debug is the best way to see what IS (or is not) happening.

                           

                          Scott

                          • 10. Re: PAP or CHAP
                            zahid3963

                            Usually it is shown when the serial interface is configured as "ppp authentication CHAP PAP" .And also if both are configured on both side routers then CHAP is preffered to authenticate.If u want only one then configure the interface as "ppp authentication PAP" or CHAP which one u want.But then u have to configure the same on the other end of the router as well. 

                            • 11. Re: PAP or CHAP
                              Conwyn

                              Hi Zahid

                               

                              The question was:-

                               

                              How can i figure out which of these protocols is currently in use?

                               

                              Regards Conwyn

                              • 12. Re: PAP or CHAP
                                Isaac

                                Hello to u all

                                 

                                I am sorry to reply to such an old thread but I am still not being able to see the results of this command:

                                 

                                If you have configured "ppp authentication pap chap" would pap be the authentication used first and if it fails would chap be the authentication to use afterwards?

                                 

                                What is the main purpise of using both kinds of auth in the same interface?

                                 

                                Hope you have to secs to answer this

                                 

                                Best

                                 

                                Isaac

                                • 13. Re: PAP or CHAP
                                  Isaac

                                  Any inputs on this one ?

                                   

                                  What does the command ppp auth chap pap exactly does?

                                   

                                  (Will be more then  happy for just on link to cisco.com )

                                  • 14. Re: PAP or CHAP
                                    Paul Stewart  -  CCIE Security

                                    If you control both ends, you wouldn't normally do this. If you wanted either method to work, you could do this. In the unique case that both ends are configured this way, I think pap is used because it is listed first. If you had one end set to "pap chap" and the other end set to "chap pap", I think it would depend on which end initiates that phase of the connection. Now bear in mind, I haven't specifically labbed that up to confirm my suspicions, but I think that is how it is *supposed* to work.

                                    1 2 Previous Next